# SARE HTML Ruleset for SpamAssassin - ruleset 0 
# Version: 01.03.10
# Created: 2004-03-31 
# Modified: 2006-06-03
# Usage instructions, documentation, and change history in 70_sare_html0.cf 

#@@# Revision History:  Full Revision History stored in 70_sare_html.log
#@@# 01.03.09: May 31 2006
#@@#           Minor score tweaks based on recent mass-checks
#@@#           Moved file 0 to file 2:   SARE_HTML_EHTML_OBFU
#@@#           Moved file 0 to file 2:   SARE_HTML_HEAD_AFFIL
#@@#           Moved file 0 to file 2:   SARE_HTML_LEAKTHRU1
#@@#           Moved file 0 to file 2:   SARE_HTML_LEAKTHRU2
#@@#           Moved file 0 to file 2:   SARE_HTML_ONE_LINE3
#@@#           Moved file 0 to file 2:   SARE_HTML_POB1200
#@@#           Moved file 0 to file 2:   SARE_HTML_URI_HIDADD
#@@#           Moved file 0 to file 2:   SARE_HTML_URI_LOGOGEN
#@@#           Moved file 0 to file 2:   SARE_HTML_URI_OFF
#@@#           Moved file 0 to file 2:   SARE_HTML_USL_B7
#@@#           Moved file 0 to file 2:   SARE_HTML_USL_B9
#@@#           Moved file 0 to file 2:   SARE_PHISH_HTML_01
#@@#           Added file 0:             SARE_HTML_FLOAT1
#@@# 01.03.10: June 3 2006
#@@#           Minor score tweaks based on recent mass-checks
#@@#           Added file 0              SARE_HTML_LINKWARN
#@@#           Added file 0              SARE_HTML_SPANNER

# License: Artistic - see http://www.rulesemporium.com/license.txt 
# Current Maintainer: Bob Menschel - RMSA@Menschel.net
# Current Home: http://www.rulesemporium.com/rules/70_sare_html0.cf 
#
# Usage:  This family of files, 70_sare_html*.cf, contain rules that test HTML strings within emails
#         (except URIs, which are handled in the 70_sare_uri*.cf family of files).
#
# File 0: 70_sare_html0.cf -- These are html rules that hit at least 10 spam and no ham. 
#         While SARE cannot guarantee they never will hit ham, they have not hit ham in any SARE mass-check, against tens of thousands of ham.
#         This is a rules file we expect any/all email systems using SpamAssassin to benefit from. 
#
# File 1: 70_sare_html1.cf -- These are html rules that meet one of the follow criteria: 
#         a) Rules that do, or in the past have hit ham during SARE mass-check tests 
#         b) Rules that hit no ham and currently do not hit more than 10 spam in any single mass-check run. 
#         If the rules hit ham, they hit at last 10 spam to each 1 ham. 
#         If the rules hit ham, they hit fewer than 100 ham 
#         With few exceptions these rules score significantly less than the rules in file 0. 
#         Systems which are very sensitive to false positives and/or need to be very careful about resource use may want to exclude this ruleset, 
#         pick and choose among its rules, or lower their scores.
#         Systems that use this file 1 should ALSO use file 0. 
#
# File 2: 70_sare_html2.cf -- These html rules hit no spam at this time, but they are considered "safe" rules that should never hit ham.
#         These are primarily rules that test for specific html seen only in spam, or similar types of "pretty darn sure" rules. 
#         Systems which are very sensitive to SpamAssassin overhead may want to exclude this ruleset file to avoid its overhead, 
#         but systems with plenty of resources that want to be aggressive against spam may benefit from this ruleset file.
#
# File 3: 70_sare_html3.cf -- These are html rules that hit a significant amount of ham during SARE mass-check tests. 
#         Systems which are very sensitive to false positives or to SA resource usage should NOT install this ruleset. 
#
# File 4: 70_sare_html4.cf -- These are html rules that meet one of the following criteria: 
#         a) They hit over 100 ham during SARE mass-check tests, but still hit enough spam to be worth while to aggressively anti-spam systems. 
#         b) They hit no emails at this time, but have been recommended by anti-spam sources.
#         Again, systems which are very sensitive to false positives or to SA resource usage should NOT install this ruleset. 
#
# eng:    70_sare_html_eng.cf -- These are html rules which work well within the English language, but are liable to cause false
#         positives in other languages. They include rules which test for letter combinations. Systems that
#         receive ham in languages other than English should NOT use this file. 
#
# x30:    70_sare_html_x30.cf -- These are html rules which have been incorporated into SpamAssassin 3.0.x, 
#         or which duplicate or greatly overlap 3.0.x rules. 
#         Systems which have installed SpamAssassin 3.0.x should therefore NOT use this file.
#
# arc:    70_sare_html_arc.cf -- These are html rules that once were published in other files, but which have since lost all value.
#         They either hit too much ham (without hitting enough spam to make it worth while), or they don't hit any spam. 
#         SARE regularly runs mass-checks on these rules to see if any of them are worth reviving, but 
#         we expect that nobody will be running these rules in any production system. 
#
########  ######################   ##################################################

########  ######################   ##################################################
#         Rules renamed or moved
########  ######################   ##################################################

meta      SARE_HTML_ALT_WAIT2      __SARE_HEAD_FALSE
meta      SARE_HTML_BADOPEN        __SARE_HEAD_FALSE
meta      SARE_HTML_BAD_FG_CLR     __SARE_HEAD_FALSE
meta      SARE_HTML_COLOR_B        __SARE_HEAD_FALSE
meta      SARE_HTML_COLOR_NWHT3    __SARE_HEAD_FALSE
meta      SARE_HTML_FONT_INVIS2    __SARE_HEAD_FALSE
meta      SARE_HTML_FSIZE_1ALL     __SARE_HEAD_FALSE
meta      SARE_HTML_GIF_DIM        __SARE_HEAD_FALSE
meta      SARE_HTML_HTML_AFTER     __SARE_HEAD_FALSE
meta      SARE_HTML_HTML_DBL       __SARE_HEAD_FALSE
meta      SARE_HTML_HTML_TBL       __SARE_HEAD_FALSE
meta      SARE_HTML_IMG_ONLY       __SARE_HEAD_FALSE
meta      SARE_HTML_JVS_HREF       __SARE_HEAD_FALSE
meta      SARE_HTML_MANY_BR10      __SARE_HEAD_FALSE
meta      SARE_HTML_MANY_BR10      __SARE_HEAD_FALSE
meta      SARE_HTML_NO_BODY        __SARE_HEAD_FALSE
meta      SARE_HTML_NO_HTML1       __SARE_HEAD_FALSE
meta      SARE_HTML_P_JUSTIFY      __SARE_HEAD_FALSE
meta      SARE_HTML_TITLE_SEX      __SARE_HEAD_FALSE
meta      SARE_HTML_URI_2SLASH     __SARE_HEAD_FALSE
meta      SARE_HTML_URI_AXEL       __SARE_HEAD_FALSE
meta      SARE_HTML_URI_BADQRY     __SARE_HEAD_FALSE
meta      SARE_HTML_URI_FORMPHP    __SARE_HEAD_FALSE
meta      SARE_HTML_URI_HREF       __SARE_HEAD_FALSE
meta      SARE_HTML_URI_MANYP2     __SARE_HEAD_FALSE
meta      SARE_HTML_URI_MANYP3     __SARE_HEAD_FALSE
meta      SARE_HTML_URI_NUMPHP3    __SARE_HEAD_FALSE
meta      SARE_HTML_URI_OBFU4      __SARE_HEAD_FALSE
meta      SARE_HTML_URI_OBFU4a     __SARE_HEAD_FALSE
meta      SARE_HTML_URI_PARTID     __SARE_HEAD_FALSE
meta      SARE_HTML_URI_RID        __SARE_HEAD_FALSE
meta      SARE_HTML_USL_MULT       __SARE_HEAD_FALSE
meta      SARE_HTML_FONT_EBEF      __SARE_HEAD_FALSE
meta      SARE_HTML_URI_DEFASP     __SARE_HEAD_FALSE
meta      SARE_HTML_INV_TAGA       __SARE_HEAD_FALSE
meta      SARE_HTML_EHTML_OBFU     __SARE_HEAD_FALSE
meta      SARE_HTML_HEAD_AFFIL     __SARE_HEAD_FALSE
meta      SARE_HTML_LEAKTHRU1      __SARE_HEAD_FALSE
meta      SARE_HTML_LEAKTHRU2      __SARE_HEAD_FALSE
meta      SARE_HTML_ONE_LINE3      __SARE_HEAD_FALSE
meta      SARE_HTML_POB1200        __SARE_HEAD_FALSE
meta      SARE_HTML_URI_HIDADD     __SARE_HEAD_FALSE
meta      SARE_HTML_URI_LOGOGEN    __SARE_HEAD_FALSE
meta      SARE_HTML_URI_OFF        __SARE_HEAD_FALSE
meta      SARE_HTML_USL_B7         __SARE_HEAD_FALSE
meta      SARE_HTML_USL_B9         __SARE_HEAD_FALSE
meta      SARE_PHISH_HTML_01       __SARE_HEAD_FALSE

########  ######################   ##################################################

rawbody   __SARE_HTML_HAS_A        eval:html_tag_exists('a')
rawbody   __SARE_HTML_HAS_BR       eval:html_tag_exists('br')
rawbody   __SARE_HTML_HAS_DIV      eval:html_tag_exists('div')
rawbody   __SARE_HTML_HAS_FONT     eval:html_tag_exists('font')
rawbody   __SARE_HTML_HAS_IMG      eval:html_tag_exists('img')
rawbody   __SARE_HTML_HAS_P        eval:html_tag_exists('p')
rawbody   __SARE_HTML_HAS_PRE      eval:html_tag_exists('pre')
rawbody   __SARE_HTML_HAS_TITLE    eval:html_tag_exists('title')

rawbody   __SARE_HTML_HBODY        m'<html><body>'i
rawbody   __SARE_HTML_BEHTML       m'<body></html>'i
rawbody   __SARE_HTML_BEHTML2      m'^</?body></html>'i
rawbody   __SARE_HTML_EFONT        m'^</font>'i
rawbody   __SARE_HTML_EHEB         m'^</html></body>'i
rawbody   __SARE_HTML_CMT_CNTR     /<center><!--/

# JH: These rules test for strange color combinations. There migth be even more powerful combinations, but I haven't had time to check them all
rawbody   __SARE_LIGHT_FG_COLOR    /[^\-a-z]color\s{0,10}(?::|=(?:3d)?(?!3d))(?:[\s\'\"]){0,10}(?![\s\'\"])(?:\#?(?!\#)(?!fff\W|ffffff)(?:[e-f]{3}\W|(?:[e-f][0-9a-f]){3})|rgb(?:\((?!\s{0,10}255\s{0,10},\s{0,10}255\s{0,10},\s{0,10}255)\s{0,10}2[2-5][0-9]\s{0,10},\s{0,10}2[2-5][0-9]\s{0,10},\s{0,10}2[2-5][0-9]\s{0,10}\)|\((?!\s{0,10}100\s{0,10}%\s{0,10},\s{0,10}100\s{0,10}%\s{0,10},\s{0,10}100\s{0,10}%)\s{0,10}(?:100|9[0-9]|8[6-9])\s{0,10}%\s{0,10},\s{0,10}(?:100|9[0-9]|8[6-9])\s{0,10}%\s{0,10},\s{0,10}(?:100|9[0-9]|8[6-9])\s{0,10}%\s{0,10}\))|(?:Light(?:Cyan|Yellow)|(?:Ghost|Floral)White|WhiteSmoke|LemonChiffon|AliceBlue|Cornsilk|Seashell|Honeydew|Azure|MintCream|Snow|Ivory|OldLace|LavenderBlush|Linen|MistyRose))/i
rawbody   __SARE_WHITE_FG_COLOR    /[^\-a-z]color\s{0,10}(?::|=(?:3d)?(?!3d))(?:[\s\'\"]){0,10}(?![\s\'\"])(?:\#?(?!\#)(?:fff\W|ffffff)|rgb(?:\(\s{0,10}255\s{0,10},\s{0,10}255\s{0,10},\s{0,10}255\s{0,10}\)|\\s{0,10}100\s{0,10}%\s{0,10},\s{0,10}100\s{0,10}%\s{0,10},\s{0,10}100\s{0,10}%\s{0,10}\))|white)/i
rawbody   __SARE_DARK_FG_COLOR     /[^\-a-z]color\s{0,10}(?::|=(?:3d)?(?!3d))(?:[\s\'\"]){0,10}(?![\s\'\"])(?:\#?(?!\#)(?!000\W|000000)(?:[01]{3}\W|(?:[01][0-9a-f]){3})|rgb(?:\((?!\s{0,10}0\s{0,10},\s{0,10}0\s{0,10},\s{0,10}0\D)\s{0,10}[0-3]?[0-9]\s{0,10},\s{0,10}[0-3]?[0-9]\s{0,10},\s{0,10}[0-3]?[0-9]\s{0,10}\)|\((?!\s{0,10}0\s{0,10}%\s{0,10},\s{0,10}0\s{0,10}%\s{0,10},\s{0,10}0\s{0,10}%)\s{0,10}(?:[1-3]?[0-9])\s{0,10}%\s{0,10},\s{0,10}(?:[1-3]?[0-9])\s{0,10}%\s{0,10},\s{0,10}(?:[1-3]?[0-9])\s{0,10}%\s{0,10}\)))/i
rawbody   __SARE_BLACK_FG_COLOR    /[^\-a-z]color\s{0,10}(?::|=(?:3d)?(?!3d))(?:[\s\'\"]){0,10}(?![\s\'\"])(?:\#?(?!\#)(?:000\W|000000)|rgb\s{0,10}\(\s{0,10}0\s{0,10},\s{0,10}0\s{0,10},\s{0,10}0\s{0,10}\)|rgb\s{0,10}\(\s{0,10}0\s{0,10}%\s{0,10},\s{0,10}0\s{0,10}%\s{0,10},\s{0,10}0\s{0,10}%\s{0,10}\)|black)/i
rawbody   __SARE_LIGHT_BG_COLOR    /(?:bg|background\-)color\s{0,10}(?::|=(?:3d)?(?!3d))(?:[\s\'\"]){0,10}(?![\s\'\"])(?:\#?(?!\#)(?!ffffff|fff\W)(?:[e-f]{3}\W|(?:[e-f][0-9a-f]){3})|rgb(?:\((?!\s{0,10}255\s{0,10},\s{0,10}255\s{0,10},\s{0,10}255)\s{0,10}2[2-5][0-9]\s{0,10},\s{0,10}2[2-5][0-9]\s{0,10},\s{0,10}2[2-5][0-9]\s{0,10}\)|\((?!\s{0,10}100\s{0,10}%\s{0,10},\s{0,10}100\s{0,10}%\s{0,10},\s{0,10}100\s{0,10}%)\s{0,10}(?:100|9[0-9]|8[6-9])\s{0,10}%\s{0,10},\s{0,10}(?:100|9[0-9]|8[6-9])\s{0,10}%\s{0,10},\s{0,10}(?:100|9[0-9]|8[6-9])\s{0,10}%\s{0,10}\))|(?:Light(?:Cyan|Yellow)|(?:Ghost|Floral)White|WhiteSmoke|LemonChiffon|AliceBlue|Cornsilk|Seashell|Honeydew|Azure|MintCream|Snow|Ivory|OldLace|LavenderBlush|Linen|MistyRose))/i
rawbody   __SARE_WHITE_BG_COLOR    /(?:bg|background\-)color\s{0,10}(?::|=(?:3d)?(?!3d))(?:[\s\'\"]){0,10}(?![\s\'\"])(?:\#?(?!\#)(?:fff\W|ffffff)|rgb(?:\(\s{0,10}255\s{0,10},\s{0,10}255\s{0,10},\s{0,10}255\s{0,10}\)|\(\s{0,10}100\s{0,10}%\s{0,10},\s{0,10}100\s{0,10}%\s{0,10},\s{0,10}100\s{0,10}%\s{0,10}\))|white)/i
rawbody   __SARE_DARK_BG_COLOR     /(?:bg|background\-)color\s{0,10}(?::|=(?:3d)?(?!3d))(?:[\s\'\"]){0,10}(?![\s\'\"])(?:\#?(?!\#)(?!000\W|000000)(?:[01]{3}\W|(?:[01][0-9a-f]){3})|rgb(?:\((?!\s{0,10}0\s{0,10},\s{0,10}0\s{0,10},\s{0,10}0\D)\s{0,10}[0-3]?[0-9]\s{0,10},\s{0,10}[0-3]?[0-9]\s{0,10},\s{0,10}[0-3]?[0-9]\s{0,10}\)|\((?!\s{0,10}0\s{0,10}%\s{0,10},\s{0,10}0\s{0,10}%\s{0,10},\s{0,10}0\s{0,10}%)\s{0,10}(?:[1-3]?[0-9])\s{0,10}%\s{0,10},\s{0,10}(?:[1-3]?[0-9])\s{0,10}%\s{0,10},\s{0,10}(?:[1-3]?[0-9])\s{0,10}%\s{0,10}\)))/i
rawbody   __SARE_BLACK_BG_COLOR    /(?:bg|background\-)color\s{0,10}(?::|=(?:3d)?(?!3d))(?:[\s\'\"]){0,10}(?![\s\'\"])(?:\#?(?!\#)(?:000\W|000000)|rgb\s{0,10}\(\s{0,10}0\s{0,10},\s{0,10}0\s{0,10},\s{0,10}0\s{0,10}\)|rgb\s{0,10}\(\s{0,10}0\s{0,10}%\s{0,10},\s{0,10}0\s{0,10}%\s{0,10},\s{0,10}0\s{0,10}%\s{0,10}\)|black)/i
rawbody   __SARE_HAS_BG_COLOR      /(?:bg|background\-)color\s{0,10}(?::|=)/i
rawbody   __SARE_HAS_FG_COLOR      /[^\-a-z]color\s{0,10}(?::|=)/i

########  ######################   ##################################################
#   <HTML> and <BODY> tag spamsign
########  ######################   ##################################################

########  ######################   ##################################################
#   <A> and HREF rules          
########  ######################   ##################################################

rawbody   SARE_HTML_A_INV          /href\w*href/i
describe  SARE_HTML_A_INV          HTML has malformed anchor/href tag
score     SARE_HTML_A_INV          3.333 
#stype    SARE_HTML_A_INV          spamg
#wasalso  SARE_HTML_A_INV          /href[a-z]*href/i
#wasalso  SARE_HTML_A_INV          Fred's FR_FUNNY_HREF
#wasalso  SARE_HTML_A_INV          /\w\whref=http:/i  from  David B Funk <dbfunk@engineering.uiowa.edu> Wed, 17 Mar 2004 04:04:58 -0600 (CST)
#counts   SARE_HTML_A_INV          8s/0h of 333405 corpus (262498s/70907h RM) 05/12/06
#max      SARE_HTML_A_INV          628s/0h of 66351 corpus (40971s/25380h RM) 08/21/04
#counts   SARE_HTML_A_INV          7s/0h of 9987 corpus (5656s/4331h AxB) 05/14/06
#counts   SARE_HTML_A_INV          38s/0h of 155327 corpus (103716s/51611h DOC) 05/14/06
#counts   SARE_HTML_A_INV          4s/0h of 13290 corpus (7418s/5872h CT) 05/14/06
#max      SARE_HTML_A_INV          23s/0h of 6944 corpus (3188s/3756h CT) 05/19/04
#counts   SARE_HTML_A_INV          2s/0h of 42447 corpus (34332s/8115h FVGT) 05/15/06
#counts   SARE_HTML_A_INV          8s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
#max      SARE_HTML_A_INV          101s/0h of 38858 corpus (15368s/23490h JH-SA3.0rc1) 08/22/04
#counts   SARE_HTML_A_INV          3s/0h of 106350 corpus (72966s/33384h ML) 05/15/06
#counts   SARE_HTML_A_INV          0s/0h of 23068 corpus (17346s/5722h MY) 05/14/06
#max      SARE_HTML_A_INV          2s/0h of 31513 corpus (27912s/3601h MY) 03/09/05

rawbody   SARE_HTML_LINKWARN       /\bShowLinkWarning\b/
score     SARE_HTML_LINKWARN       1.133
describe  SARE_HTML_LINKWARN       Possible spam sign in HTML
#hist     SARE_HTML_LINKWARN       Loren Wilton, April 2006
#counts   SARE_HTML_LINKWARN       126s/0h of 333405 corpus (262498s/70907h RM) 05/12/06
#counts   SARE_HTML_LINKWARN       5s/0h of 55981 corpus (51658s/4323h AxB2) 05/15/06
#counts   SARE_HTML_LINKWARN       17s/0h of 13285 corpus (7413s/5872h CT) 05/14/06
#counts   SARE_HTML_LINKWARN       60s/0h of 155481 corpus (103930s/51551h DOC) 05/15/06
#counts   SARE_HTML_LINKWARN       168s/0h of 42253 corpus (34139s/8114h FVGT) 05/15/06
#counts   SARE_HTML_LINKWARN       12s/0h of 106183 corpus (72941s/33242h ML) 05/14/06
#counts   SARE_HTML_LINKWARN       26s/0h of 22939 corpus (17232s/5707h MY) 05/14/06

########  ######################   ##################################################
#   Spamsign character sets and fonts 
########  ######################   ##################################################

rawbody   SARE_HTML_FONT_LWORD     m'^<font style=font-size:1px>[a-z]{30,}\.</font><br>'i
describe  SARE_HTML_FONT_LWORD     unusual document format
score     SARE_HTML_FONT_LWORD     1.666
#hist     SARE_HTML_FONT_LWORD     Loren Wilton: LW_SPAMFERSURE
#counts   SARE_HTML_FONT_LWORD     0s/0h of 333405 corpus (262498s/70907h RM) 05/12/06
#max      SARE_HTML_FONT_LWORD     194s/0h of 400504 corpus (178155s/222349h RM) 03/31/05
#counts   SARE_HTML_FONT_LWORD     2s/0h of 155327 corpus (103716s/51611h DOC) 05/14/06
#counts   SARE_HTML_FONT_LWORD     81s/0h of 54969 corpus (17793s/37176h JH-3.01) 03/13/05
#counts   SARE_HTML_FONT_LWORD     0s/0h of 31513 corpus (27912s/3601h MY) 03/09/05
#counts   SARE_HTML_FONT_LWORD     0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
#max      SARE_HTML_FONT_LWORD     2s/0h of 10826 corpus (6364s/4462h CT) 05/28/05

full      SARE_HTML_FONT_SPLIT     /<font color=\n\n"?\#[a-f]\w[a-f]\w[a-f]\w"?>/i
describe  SARE_HTML_FONT_SPLIT     HTML bright font color tag split by blank lines
score     SARE_HTML_FONT_SPLIT     1.666
#hist     SARE_HTML_FONT_SPLIT     David B Funk <dbfunk@engineering.uiowa.edu> Wed, 17 Mar 2004 04:04:58 -0600 (CST)
#overlap  SARE_HTML_FONT_SPLIT     Overlaps strongly with SARE_HTML_A_INV, though there's no regex overlap
#overlap  SARE_HTML_FONT_SPLIT     Overlaps strongly with SARE_HTML_FONT_SPL for obvious reasons, but not enough to warrant dropping one.
#counts   SARE_HTML_FONT_SPLIT     5s/0h of 333405 corpus (262498s/70907h RM) 05/12/06
#max      SARE_HTML_FONT_SPLIT     431s/0h of 85073 corpus (62478s/22595h RM) 06/07/04
#counts   SARE_HTML_FONT_SPLIT     5s/0h of 9987 corpus (5656s/4331h AxB) 05/14/06
#counts   SARE_HTML_FONT_SPLIT     1s/0h of 13290 corpus (7418s/5872h CT) 05/14/06
#max      SARE_HTML_FONT_SPLIT     14s/0h of 6944 corpus (3188s/3756h CT) 05/19/04
#counts   SARE_HTML_FONT_SPLIT     31s/0h of 155327 corpus (103716s/51611h DOC) 05/14/06
#counts   SARE_HTML_FONT_SPLIT     6s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
#max      SARE_HTML_FONT_SPLIT     65s/0h of 38858 corpus (15368s/23490h JH-SA3.0rc1) 08/22/04
#counts   SARE_HTML_FONT_SPLIT     3s/0h of 106350 corpus (72966s/33384h ML) 05/15/06
#counts   SARE_HTML_FONT_SPLIT     0s/0h of 26326 corpus (22886s/3440h MY) 02/15/05

########  ######################   ##################################################
#   <TITLE> Tag Tests
########  ######################   ##################################################

########  ######################   ##################################################
#  Obviously invalid html tag
########  ######################   ##################################################

########  ######################   ##################################################
#   Invalid or Suspicious URI Tests
########  ######################   ##################################################

########  ######################   ##################################################
#  <!-- Comment tag tests
########  ######################   ##################################################

########  ######################   ##################################################
#   Image tag tests
########  ######################   ##################################################

rawbody   SARE_HTML_IMG_CID2       /\"cid:(?:[A-Z]{8}\.){3}[A-Z]{8}_csseditor\"/ # no /i
describe  SARE_HTML_IMG_CID2       table spam image
score     SARE_HTML_IMG_CID2       2.222
#hist     SARE_HTML_IMG_CID2       Loren Wilton, May 2005
#counts   SARE_HTML_IMG_CID2       0s/0h of 333405 corpus (262498s/70907h RM) 05/12/06
#max      SARE_HTML_IMG_CID2       1224s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_HTML_IMG_CID2       66s/0h of 13290 corpus (7418s/5872h CT) 05/14/06
#max      SARE_HTML_IMG_CID2       114s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
#counts   SARE_HTML_IMG_CID2       63s/0h of 155327 corpus (103716s/51611h DOC) 05/14/06
#counts   SARE_HTML_IMG_CID2       2s/0h of 7500 corpus (1767s/5733h ft) 09/18/05
#counts   SARE_HTML_IMG_CID2       45s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
#counts   SARE_HTML_IMG_CID2       8s/0h of 106350 corpus (72966s/33384h ML) 05/15/06
#counts   SARE_HTML_IMG_CID2       4s/0h of 23068 corpus (17346s/5722h MY) 05/14/06
#max      SARE_HTML_IMG_CID2       37s/0h of 57287 corpus (52272s/5015h MY) 09/22/05

########  ######################   ##################################################
#   Javascript and object tests     
########  ######################   ##################################################

########  ######################   ##################################################
#   Header tags
########  ######################   ##################################################

########  ######################   ##################################################
#   Paragraphs, breaks, and spacings
########  ######################   ##################################################

rawbody   __SARE_HTML_FLOAT1A      /^\s*(?:=(?:3[Dd])?\s*\"\s*)?float\s*(?:\:\s*)?$/i
rawbody   __SARE_HTML_FLOAT1B      /^(?:\s*|=(?:3D)?")?float:?\s*$/i
meta      SARE_HTML_FLOAT1         __SARE_HTML_FLOAT1A || __SARE_HTML_FLOAT1B
describe  SARE_HTML_FLOAT1         Contains HTML formatting used in spam 
score     SARE_HTML_FLOAT1         2.666
#counts   SARE_HTML_FLOAT1         574s/0h of 192466 corpus (93270s/99196h RM) 05/31/06
#counts   SARE_HTML_FLOAT1         21s/0h of 26358 corpus (22027s/4331h AxB2) 06/01/06
#counts   SARE_HTML_FLOAT1         125s/0h of 13285 corpus (7412s/5873h CT) 05/31/06
#counts   SARE_HTML_FLOAT1         1645s/0h of 162350 corpus (110752s/51598h DOC) 05/31/06
#counts   SARE_HTML_FLOAT1         40s/0h of 15726 corpus (7781s/7945h FT) 05/31/06
#counts   SARE_HTML_FLOAT1         3054s/0h of 119967 corpus (84310s/35657h ML) 05/31/06
#counts   SARE_HTML_FLOAT1         17s/0h of 22937 corpus (17232s/5705h MY) 05/31/06

rawbody   SARE_HTML_ORIG_MSG       /^-----original message-----<br>$/
describe  SARE_HTML_ORIG_MSG       Fake replied message?
score     SARE_HTML_ORIG_MSG       1.666
#hist     SARE_HTML_ORIG_MSG       Tim Jackson, May 12, 2005
#counts   SARE_HTML_ORIG_MSG       65s/0h of 333405 corpus (262498s/70907h RM) 05/12/06
#counts   SARE_HTML_ORIG_MSG       6s/0h of 13290 corpus (7418s/5872h CT) 05/14/06
#max      SARE_HTML_ORIG_MSG       12s/0h of 10826 corpus (6364s/4462h CT) 05/28/05
#counts   SARE_HTML_ORIG_MSG       14s/0h of 9987 corpus (5656s/4331h AxB) 05/14/06
#counts   SARE_HTML_ORIG_MSG       38s/0h of 155327 corpus (103716s/51611h DOC) 05/14/06
#counts   SARE_HTML_ORIG_MSG       22s/1h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
#counts   SARE_HTML_ORIG_MSG       119s/0h of 106350 corpus (72966s/33384h ML) 05/15/06
#counts   SARE_HTML_ORIG_MSG       10s/0h of 23068 corpus (17346s/5722h MY) 05/14/06
#max      SARE_HTML_ORIG_MSG       154s/0h of 47221 corpus (42968s/4253h MY) 06/18/05

rawbody   SARE_HTML_SPANNER        /> [a-z] <\/span>[a-z]<span/i
describe  SARE_HTML_SPANNER        spammer is a SARE_HTML_SPANNER
score     SARE_HTML_SPANNER        2.222
#hist     SARE_HTML_SPANNER        variation apparently scheduled for SA distribution in 3.2
#hist     SARE_HTML_SPANNER        Robert Brooks, March 2006
#counts   SARE_HTML_SPANNER        1849s/0h of 333405 corpus (262498s/70907h RM) 05/12/06
#counts   SARE_HTML_SPANNER        7s/0h of 9982 corpus (5652s/4330h AxB) 05/14/06
#counts   SARE_HTML_SPANNER        108s/0h of 13285 corpus (7413s/5872h CT) 05/14/06
#counts   SARE_HTML_SPANNER        959s/0h of 155481 corpus (103930s/51551h DOC) 05/15/06
#counts   SARE_HTML_SPANNER        31s/0h of 42253 corpus (34139s/8114h FVGT) 05/15/06
#counts   SARE_HTML_SPANNER        3027s/0h of 106183 corpus (72941s/33242h ML) 05/14/06
#counts   SARE_HTML_SPANNER        9s/0h of 22939 corpus (17232s/5707h MY) 05/14/06

########  ######################   ##################################################
#  Suspicious tag combinations
########  ######################   ##################################################

full      SARE_HTML_CALL_ME        m'\nPhone:\s+\d{3}-[\d\-<BR>]+\nMobile:\s+\d{3}-[\d\-<BR>]+\nEmail:\s+<A href.{1,100}</A>\n</DIV></BODY></HTML>'
describe  SARE_HTML_CALL_ME        spammer sign in text
score     SARE_HTML_CALL_ME        2.222
#hist     SARE_HTML_CALL_ME        Loren Wilton: LW_CALLME
#counts   SARE_HTML_CALL_ME        1s/0h of 333405 corpus (262498s/70907h RM) 05/12/06
#max      SARE_HTML_CALL_ME        1964s/0h of 400504 corpus (178155s/222349h RM) 03/31/05
#counts   SARE_HTML_CALL_ME        270s/0h of 155327 corpus (103716s/51611h DOC) 05/14/06
#counts   SARE_HTML_CALL_ME        0s/0h of 54969 corpus (17793s/37176h JH-3.01) 03/13/05
#counts   SARE_HTML_CALL_ME        0s/0h of 31513 corpus (27912s/3601h MY) 03/09/05
#counts   SARE_HTML_CALL_ME        0s/0h of 11260 corpus (6568s/4692h CT) 06/17/05

########  ######################   ##################################################
#   Miscellaneous tag tests
########  ######################   ##################################################

########  ######################   ##################################################
#  Useless tags (tag structures that do nothing) 
#  Largely submitted by Matt Yackley, with contributions by 
#  Carl Friend, Jennifer Wheeler, Scott Sprunger, Larry Gilson
########  ######################   ##################################################

########  ######################   ##################################################
#   Tests destined for other rule sets
########  ######################   ##################################################

rawbody   __SARE_PHISH_HTML_02a    m'<a[\s\w=\.]+href=\"https?://\d+[^>]+>https://[^\d]'i
full      __SARE_PHISH_HTML_02b    m'<a[\s\w=\.]+href=\"https?://\d+[^>]+>https://[^\d]'i
meta      SARE_PHISH_HTML_02       __SARE_PHISH_HTML_02a || __SARE_PHISH_HTML_02b
score     SARE_PHISH_HTML_02       2.500 
#stype    SARE_PHISH_HTML_02       spamgg # phish 
#hist     SARE_PHISH_HTML_02       Loren Wilton: SARE_PHISH_HTML_03
describe  SARE_PHISH_HTML_02       numeric href with https description
#counts   SARE_PHISH_HTML_02       49s/0h of 333405 corpus (262498s/70907h RM) 05/12/06
#max      SARE_PHISH_HTML_02       90s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_PHISH_HTML_02       3s/0h of 56039 corpus (51703s/4336h AxB2) 05/15/06
#counts   SARE_PHISH_HTML_02       6s/0h of 13290 corpus (7418s/5872h CT) 05/14/06
#counts   SARE_PHISH_HTML_02       18s/0h of 155327 corpus (103716s/51611h DOC) 05/14/06
#counts   SARE_PHISH_HTML_02       34s/0h of 42447 corpus (34332s/8115h FVGT) 05/15/06
#counts   SARE_PHISH_HTML_02       5s/0h of 54969 corpus (17793s/37176h JH-3.01) 03/13/05
#counts   SARE_PHISH_HTML_02       3s/0h of 106350 corpus (72966s/33384h ML) 05/15/06
#counts   SARE_PHISH_HTML_02       2s/0h of 23068 corpus (17346s/5722h MY) 05/14/06

rawbody   __SARE_PHISH_HTML_03     m'<a\s+[\s\w=\.]*href=\"https?://\d+[^>]+>https://[^\d]'is
full      __SARE_PHISH_HTML_03a    m'<a\s+[\s\w=\.]*href=\"https?://\d+[^>]+>https://[^\d]'is
meta      SARE_PHISH_HTML_03       __SARE_PHISH_HTML_03 || __SARE_PHISH_HTML_03a
describe  SARE_PHISH_HTML_03       numeric href with https description
score     SARE_PHISH_HTML_03       1.666
#stype    SARE_PHISH_HTML_03       spamg
#hist     SARE_PHISH_HTML_03       Loren Wilton, Feb 28 2005
#counts   SARE_PHISH_HTML_03       49s/0h of 333405 corpus (262498s/70907h RM) 05/12/06
#max      SARE_PHISH_HTML_03       90s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_PHISH_HTML_03       3s/0h of 56039 corpus (51703s/4336h AxB2) 05/15/06
#counts   SARE_PHISH_HTML_03       6s/0h of 13290 corpus (7418s/5872h CT) 05/14/06
#counts   SARE_PHISH_HTML_03       18s/0h of 155327 corpus (103716s/51611h DOC) 05/14/06
#counts   SARE_PHISH_HTML_03       34s/0h of 42447 corpus (34332s/8115h FVGT) 05/15/06
#counts   SARE_PHISH_HTML_03       5s/0h of 54806 corpus (17633s/37173h JH-3.01) 03/13/05
#counts   SARE_PHISH_HTML_03       3s/0h of 106350 corpus (72966s/33384h ML) 05/15/06
#counts   SARE_PHISH_HTML_03       2s/0h of 23068 corpus (17346s/5722h MY) 05/14/06

# EOF


# SARE HTML Ruleset for SpamAssassin - ruleset 1
# Version: 01.03.10
# Created: 2004-03-31 
# Modified: 2006-06-03
# Usage instructions, documentation, and change history in 70_sare_html0.cf 

#@@# Revision History:  Full Revision History stored in 70_sare_html.log
#@@# 01.03.10: June 3 2006
#@@#           Minor score tweaks based on recent mass-checks
#@@#           Modified "rule has been moved" meta flags 
#@@#           Added to file 1      SARE_HTML_SINGLETS
#@@#           Archive:             SARE_HTML_ALT_WAIT1
#@@#           Archive:             SARE_HTML_A_NULL
#@@#           Archive:             SARE_HTML_H2_CLK
#@@#           Archive:             SARE_HTML_JSCRIPT_ENC
#@@#           Archive:             SARE_HTML_URI_BUG
#@@#           Moved file 1 to 2:   SARE_HTML_BR_MANY
#@@#           Moved file 1 to 2:   SARE_HTML_ONE_LINE2
#@@#           Moved file 1 to 2:   SARE_HTML_URI_OC
#@@#           Moved file 1 to 3:   SARE_HTML_TITLE_MNY
#@@#           Moved file 1 to 3:   SARE_HTML_URI_DEFASP  

# License: Artistic - see http://www.rulesemporium.com/license.txt 
# Current Maintainer: Bob Menschel - RMSA@Menschel.net
# Current Home: http://www.rulesemporium.com/rules/70_sare_html1.cf 

########  ######################   ##################################################
#         Rules renamed or moved
########  ######################   ##################################################

meta      __SARE_HEAD_FALSE        __FROM_AOL_COM && !__FROM_AOL_COM
meta      SARE_HTML_URI_RM         __SARE_HEAD_FALSE
meta      SARE_HTML_URI_REFID      __SARE_HEAD_FALSE
meta      SARE_HTML_ALT_WAIT1      __SARE_HEAD_FALSE
meta      SARE_HTML_A_NULL         __SARE_HEAD_FALSE
meta      SARE_HTML_H2_CLK         __SARE_HEAD_FALSE
meta      SARE_HTML_JSCRIPT_ENC    __SARE_HEAD_FALSE
meta      SARE_HTML_URI_BUG        __SARE_HEAD_FALSE
meta      SARE_HTML_BR_MANY        __SARE_HEAD_FALSE
meta      SARE_HTML_ONE_LINE2      __SARE_HEAD_FALSE
meta      SARE_HTML_URI_OC         __SARE_HEAD_FALSE
meta      SARE_HTML_TITLE_MNY      __SARE_HEAD_FALSE
meta      SARE_HTML_URI_DEFASP     __SARE_HEAD_FALSE

########  ######################   ##################################################

header    __CTYPE_HTML             Content-Type =~ /text\/html/i

rawbody   __SARE_HTML_HAS_A        eval:html_tag_exists('a')
rawbody   __SARE_HTML_HAS_BR       eval:html_tag_exists('br')
rawbody   __SARE_HTML_HAS_DIV      eval:html_tag_exists('div')
rawbody   __SARE_HTML_HAS_FONT     eval:html_tag_exists('font')
rawbody   __SARE_HTML_HAS_IMG      eval:html_tag_exists('img')
rawbody   __SARE_HTML_HAS_P        eval:html_tag_exists('p')
rawbody   __SARE_HTML_HAS_PRE      eval:html_tag_exists('pre')
rawbody   __SARE_HTML_HAS_TITLE    eval:html_tag_exists('title')

rawbody   __SARE_HTML_HBODY        m'<html><body>'i
rawbody   __SARE_HTML_BEHTML       m'<body></html>'i
rawbody   __SARE_HTML_BEHTML2      m'^</?body></html>'i
rawbody   __SARE_HTML_EFONT        m'^</font>'i
rawbody   __SARE_HTML_EHEB         m'^</html></body>'i
rawbody   __SARE_HTML_CMT_CNTR     /<center><!--/

# JH: These rules test for strange color combinations. There migth be even more powerful combinations, but I haven't had time to check them all
rawbody   __SARE_LIGHT_FG_COLOR    /[^\-a-z]color\s{0,10}(?::|=(?:3d)?(?!3d))(?:[\s\'\"]){0,10}(?![\s\'\"])(?:\#?(?!\#)(?!fff\W|ffffff)(?:[e-f]{3}\W|(?:[e-f][0-9a-f]){3})|rgb(?:\((?!\s{0,10}255\s{0,10},\s{0,10}255\s{0,10},\s{0,10}255)\s{0,10}2[2-5][0-9]\s{0,10},\s{0,10}2[2-5][0-9]\s{0,10},\s{0,10}2[2-5][0-9]\s{0,10}\)|\((?!\s{0,10}100\s{0,10}%\s{0,10},\s{0,10}100\s{0,10}%\s{0,10},\s{0,10}100\s{0,10}%)\s{0,10}(?:100|9[0-9]|8[6-9])\s{0,10}%\s{0,10},\s{0,10}(?:100|9[0-9]|8[6-9])\s{0,10}%\s{0,10},\s{0,10}(?:100|9[0-9]|8[6-9])\s{0,10}%\s{0,10}\))|(?:Light(?:Cyan|Yellow)|(?:Ghost|Floral)White|WhiteSmoke|LemonChiffon|AliceBlue|Cornsilk|Seashell|Honeydew|Azure|MintCream|Snow|Ivory|OldLace|LavenderBlush|Linen|MistyRose))/i
rawbody   __SARE_WHITE_FG_COLOR    /[^\-a-z]color\s{0,10}(?::|=(?:3d)?(?!3d))(?:[\s\'\"]){0,10}(?![\s\'\"])(?:\#?(?!\#)(?:fff\W|ffffff)|rgb(?:\(\s{0,10}255\s{0,10},\s{0,10}255\s{0,10},\s{0,10}255\s{0,10}\)|\\s{0,10}100\s{0,10}%\s{0,10},\s{0,10}100\s{0,10}%\s{0,10},\s{0,10}100\s{0,10}%\s{0,10}\))|white)/i
rawbody   __SARE_DARK_FG_COLOR     /[^\-a-z]color\s{0,10}(?::|=(?:3d)?(?!3d))(?:[\s\'\"]){0,10}(?![\s\'\"])(?:\#?(?!\#)(?!000\W|000000)(?:[01]{3}\W|(?:[01][0-9a-f]){3})|rgb(?:\((?!\s{0,10}0\s{0,10},\s{0,10}0\s{0,10},\s{0,10}0\D)\s{0,10}[0-3]?[0-9]\s{0,10},\s{0,10}[0-3]?[0-9]\s{0,10},\s{0,10}[0-3]?[0-9]\s{0,10}\)|\((?!\s{0,10}0\s{0,10}%\s{0,10},\s{0,10}0\s{0,10}%\s{0,10},\s{0,10}0\s{0,10}%)\s{0,10}(?:[1-3]?[0-9])\s{0,10}%\s{0,10},\s{0,10}(?:[1-3]?[0-9])\s{0,10}%\s{0,10},\s{0,10}(?:[1-3]?[0-9])\s{0,10}%\s{0,10}\)))/i
rawbody   __SARE_BLACK_FG_COLOR    /[^\-a-z]color\s{0,10}(?::|=(?:3d)?(?!3d))(?:[\s\'\"]){0,10}(?![\s\'\"])(?:\#?(?!\#)(?:000\W|000000)|rgb\s{0,10}\(\s{0,10}0\s{0,10},\s{0,10}0\s{0,10},\s{0,10}0\s{0,10}\)|rgb\s{0,10}\(\s{0,10}0\s{0,10}%\s{0,10},\s{0,10}0\s{0,10}%\s{0,10},\s{0,10}0\s{0,10}%\s{0,10}\)|black)/i
rawbody   __SARE_LIGHT_BG_COLOR    /(?:bg|background\-)color\s{0,10}(?::|=(?:3d)?(?!3d))(?:[\s\'\"]){0,10}(?![\s\'\"])(?:\#?(?!\#)(?!ffffff|fff\W)(?:[e-f]{3}\W|(?:[e-f][0-9a-f]){3})|rgb(?:\((?!\s{0,10}255\s{0,10},\s{0,10}255\s{0,10},\s{0,10}255)\s{0,10}2[2-5][0-9]\s{0,10},\s{0,10}2[2-5][0-9]\s{0,10},\s{0,10}2[2-5][0-9]\s{0,10}\)|\((?!\s{0,10}100\s{0,10}%\s{0,10},\s{0,10}100\s{0,10}%\s{0,10},\s{0,10}100\s{0,10}%)\s{0,10}(?:100|9[0-9]|8[6-9])\s{0,10}%\s{0,10},\s{0,10}(?:100|9[0-9]|8[6-9])\s{0,10}%\s{0,10},\s{0,10}(?:100|9[0-9]|8[6-9])\s{0,10}%\s{0,10}\))|(?:Light(?:Cyan|Yellow)|(?:Ghost|Floral)White|WhiteSmoke|LemonChiffon|AliceBlue|Cornsilk|Seashell|Honeydew|Azure|MintCream|Snow|Ivory|OldLace|LavenderBlush|Linen|MistyRose))/i
rawbody   __SARE_WHITE_BG_COLOR    /(?:bg|background\-)color\s{0,10}(?::|=(?:3d)?(?!3d))(?:[\s\'\"]){0,10}(?![\s\'\"])(?:\#?(?!\#)(?:fff\W|ffffff)|rgb(?:\(\s{0,10}255\s{0,10},\s{0,10}255\s{0,10},\s{0,10}255\s{0,10}\)|\(\s{0,10}100\s{0,10}%\s{0,10},\s{0,10}100\s{0,10}%\s{0,10},\s{0,10}100\s{0,10}%\s{0,10}\))|white)/i
rawbody   __SARE_DARK_BG_COLOR     /(?:bg|background\-)color\s{0,10}(?::|=(?:3d)?(?!3d))(?:[\s\'\"]){0,10}(?![\s\'\"])(?:\#?(?!\#)(?!000\W|000000)(?:[01]{3}\W|(?:[01][0-9a-f]){3})|rgb(?:\((?!\s{0,10}0\s{0,10},\s{0,10}0\s{0,10},\s{0,10}0\D)\s{0,10}[0-3]?[0-9]\s{0,10},\s{0,10}[0-3]?[0-9]\s{0,10},\s{0,10}[0-3]?[0-9]\s{0,10}\)|\((?!\s{0,10}0\s{0,10}%\s{0,10},\s{0,10}0\s{0,10}%\s{0,10},\s{0,10}0\s{0,10}%)\s{0,10}(?:[1-3]?[0-9])\s{0,10}%\s{0,10},\s{0,10}(?:[1-3]?[0-9])\s{0,10}%\s{0,10},\s{0,10}(?:[1-3]?[0-9])\s{0,10}%\s{0,10}\)))/i
rawbody   __SARE_BLACK_BG_COLOR    /(?:bg|background\-)color\s{0,10}(?::|=(?:3d)?(?!3d))(?:[\s\'\"]){0,10}(?![\s\'\"])(?:\#?(?!\#)(?:000\W|000000)|rgb\s{0,10}\(\s{0,10}0\s{0,10},\s{0,10}0\s{0,10},\s{0,10}0\s{0,10}\)|rgb\s{0,10}\(\s{0,10}0\s{0,10}%\s{0,10},\s{0,10}0\s{0,10}%\s{0,10},\s{0,10}0\s{0,10}%\s{0,10}\)|black)/i
rawbody   __SARE_HAS_BG_COLOR      /(?:bg|background\-)color\s{0,10}(?::|=)/i
rawbody   __SARE_HAS_FG_COLOR      /[^\-a-z]color\s{0,10}(?::|=)/i

########  ######################   ##################################################
#   Is there a message? 
########  ######################   ##################################################

########  ######################   ##################################################
#   <HTML> and <BODY> tag spamsign
########  ######################   ##################################################

full      SARE_HTML_HTML_QUOT      /<HTML>.{0,2}&quot;/is
describe  SARE_HTML_HTML_QUOT      Message body has very strange HTML sequence
score     SARE_HTML_HTML_QUOT      1.666
#ham      SARE_HTML_HTML_QUOT      verified (2)
#hist     SARE_HTML_HTML_QUOT      Fred T: FR_HTML_QUOTE
#counts   SARE_HTML_HTML_QUOT      197s/0h of 333405 corpus (262498s/70907h RM) 05/12/06
#max      SARE_HTML_HTML_QUOT      236s/0h of 114422 corpus (81069s/33353h RM) 01/16/05
#counts   SARE_HTML_HTML_QUOT      23s/0h of 9991 corpus (5656s/4335h AxB) 05/14/06
#counts   SARE_HTML_HTML_QUOT      16s/0h of 13287 corpus (7414s/5873h CT) 05/14/06
#counts   SARE_HTML_HTML_QUOT      82s/0h of 42454 corpus (34336s/8118h FVGT) 05/15/06
#counts   SARE_HTML_HTML_QUOT      38s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
#counts   SARE_HTML_HTML_QUOT      159s/0h of 105856 corpus (72598s/33258h ML) 05/14/06
#counts   SARE_HTML_HTML_QUOT      5s/0h of 23074 corpus (17350s/5724h MY) 05/14/06
#max      SARE_HTML_HTML_QUOT      98s/0h of 47221 corpus (42968s/4253h MY) 06/18/05
#counts   SARE_HTML_HTML_QUOT      0s/0h of 4676 corpus (808s/3868h ft) 05/28/05

full      SARE_HTML_HTML_TBL       /<html>.{0,2}<table/is
describe  SARE_HTML_HTML_TBL       Message body has very strange HTML sequence
score     SARE_HTML_HTML_TBL       0.646
#hist     SARE_HTML_HTML_TBL       Fred T: FR_HTML_TABLE
#counts   SARE_HTML_HTML_TBL       94s/3h of 333405 corpus (262498s/70907h RM) 05/12/06
#max      SARE_HTML_HTML_TBL       287s/0h of 114422 corpus (81069s/33353h RM) 01/16/05
#counts   SARE_HTML_HTML_TBL       10s/0h of 56024 corpus (51686s/4338h AxB2) 05/15/06
#counts   SARE_HTML_HTML_TBL       10s/0h of 13287 corpus (7414s/5873h CT) 05/14/06
#counts   SARE_HTML_HTML_TBL       3s/3h of 42454 corpus (34336s/8118h FVGT) 05/15/06
#counts   SARE_HTML_HTML_TBL       11s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
#max      SARE_HTML_HTML_TBL       140s/0h of 38858 corpus (15368s/23490h JH-SA3.0rc1) 08/22/04
#counts   SARE_HTML_HTML_TBL       22s/0h of 105856 corpus (72598s/33258h ML) 05/14/06
#counts   SARE_HTML_HTML_TBL       13s/3h of 23074 corpus (17350s/5724h MY) 05/14/06
#max      SARE_HTML_HTML_TBL       30s/3h of 57287 corpus (52272s/5015h MY) 09/22/05

########  ######################   ##################################################
#   <TITLE> Tag Tests
########  ######################   ##################################################

rawbody   SARE_HTML_TITLE_1WD      m'^<title>[a-z]+</title>$'  
describe  SARE_HTML_TITLE_1WD      strange document title
score     SARE_HTML_TITLE_1WD      1.591
#hist     SARE_HTML_TITLE_1WD      Loren Wilton LW_FUNNY_TITLE
#counts   SARE_HTML_TITLE_1WD      1125s/4h of 333405 corpus (262498s/70907h RM) 05/12/06
#max      SARE_HTML_TITLE_1WD      2076s/18h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_HTML_TITLE_1WD      34s/0h of 56024 corpus (51686s/4338h AxB2) 05/15/06
#counts   SARE_HTML_TITLE_1WD      105s/0h of 13287 corpus (7414s/5873h CT) 05/14/06
#max      SARE_HTML_TITLE_1WD      143s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
#counts   SARE_HTML_TITLE_1WD      0s/0h of 42454 corpus (34336s/8118h FVGT) 05/15/06
#max      SARE_HTML_TITLE_1WD      1s/0h of 4676 corpus (808s/3868h ft) 05/28/05
#counts   SARE_HTML_TITLE_1WD      123s/2h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
#counts   SARE_HTML_TITLE_1WD      174s/0h of 105856 corpus (72598s/33258h ML) 05/14/06
#counts   SARE_HTML_TITLE_1WD      53s/1h of 23074 corpus (17350s/5724h MY) 05/14/06
#max      SARE_HTML_TITLE_1WD      151s/1h of 47221 corpus (42968s/4253h MY) 06/18/05

rawbody   SARE_HTML_TITLE_2WD      m'^<title>[a-z]+\s[a-z]+</title>$'        # no /i
score     SARE_HTML_TITLE_2WD      0.660
describe  SARE_HTML_TITLE_2WD      strange document title
#hist     SARE_HTML_TITLE_2WD      Loren Wilton LW_FUNNY_TITLE1
#counts   SARE_HTML_TITLE_2WD      85s/7h of 333405 corpus (262498s/70907h RM) 05/12/06
#max      SARE_HTML_TITLE_2WD      314s/9h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_HTML_TITLE_2WD      18s/0h of 56024 corpus (51686s/4338h AxB2) 05/15/06
#counts   SARE_HTML_TITLE_2WD      14s/0h of 13287 corpus (7414s/5873h CT) 05/14/06
#max      SARE_HTML_TITLE_2WD      15s/0h of 11260 corpus (6568s/4692h CT) 06/17/05
#counts   SARE_HTML_TITLE_2WD      6s/1h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
#max      SARE_HTML_TITLE_2WD      19s/1h of 54089 corpus (16916s/37173h JH-3.01) 02/25/05
#counts   SARE_HTML_TITLE_2WD      29s/0h of 105856 corpus (72598s/33258h ML) 05/14/06
#counts   SARE_HTML_TITLE_2WD      18s/0h of 23074 corpus (17350s/5724h MY) 05/14/06
#max      SARE_HTML_TITLE_2WD      40s/0h of 57287 corpus (52272s/5015h MY) 09/22/05

rawbody   SARE_HTML_TITLE_DAY      /<title>(monday|tuesday|wednesday|thursday|friday)<\/title>/i
describe  SARE_HTML_TITLE_DAY      HTML contains day of week in title
score     SARE_HTML_TITLE_DAY      1.081
#hist     SARE_HTML_TITLE_DAY      Tim Jackson, May 12 2005
#counts   SARE_HTML_TITLE_DAY      184s/0h of 333405 corpus (262498s/70907h RM) 05/12/06
#counts   SARE_HTML_TITLE_DAY      2s/0h of 56024 corpus (51686s/4338h AxB2) 05/15/06
#counts   SARE_HTML_TITLE_DAY      0s/0h of 13287 corpus (7414s/5873h CT) 05/14/06
#max      SARE_HTML_TITLE_DAY      25s/0h of 10826 corpus (6364s/4462h CT) 05/28/05
#counts   SARE_HTML_TITLE_DAY      2s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
#counts   SARE_HTML_TITLE_DAY      1s/1h of 23074 corpus (17350s/5724h MY) 05/14/06
#max      SARE_HTML_TITLE_DAY      16s/1h of 57287 corpus (52272s/5015h MY) 09/22/05

rawbody   SARE_HTML_TITLE_LWORD    /<title>[a-zA-Z]{15,}<\/title>/i
describe  SARE_HTML_TITLE_LWORD    HTML Title contains looong word
score     SARE_HTML_TITLE_LWORD    0.665
#ham      SARE_HTML_TITLE_LWORD    Rite Aid Single Check Rebates <rebates@rebates.riteaid.com>
#counts   SARE_HTML_TITLE_LWORD    485s/31h of 333405 corpus (262498s/70907h RM) 05/12/06
#max      SARE_HTML_TITLE_LWORD    732s/40h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_HTML_TITLE_LWORD    42s/1h of 56024 corpus (51686s/4338h AxB2) 05/15/06
#counts   SARE_HTML_TITLE_LWORD    3s/0h of 13287 corpus (7414s/5873h CT) 05/14/06
#max      SARE_HTML_TITLE_LWORD    3s/0h of 10826 corpus (6364s/4462h CT) 05/28/05
#counts   SARE_HTML_TITLE_LWORD    4s/3h of 42454 corpus (34336s/8118h FVGT) 05/15/06
#counts   SARE_HTML_TITLE_LWORD    32s/1h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
#counts   SARE_HTML_TITLE_LWORD    161s/0h of 105856 corpus (72598s/33258h ML) 05/14/06
#counts   SARE_HTML_TITLE_LWORD    84s/4h of 23074 corpus (17350s/5724h MY) 05/14/06
#max      SARE_HTML_TITLE_LWORD    202s/1h of 47221 corpus (42968s/4253h MY) 06/18/05

rawbody   SARE_HTML_TITLE_SEX      /<title>.{0,15}\bSex.{0,15}<\/title>/i
score     SARE_HTML_TITLE_SEX      0.689
#ham      SARE_HTML_TITLE_SEX      confirmed (2) 
#hist     SARE_HTML_TITLE_SEX      Fred T: FR_TITLE_SEX
#counts   SARE_HTML_TITLE_SEX      4s/0h of 333405 corpus (262498s/70907h RM) 05/12/06
#max      SARE_HTML_TITLE_SEX      167s/2h of 196681 corpus (96193s/100488h RM) 02/22/05
#counts   SARE_HTML_TITLE_SEX      1s/0h of 56024 corpus (51686s/4338h AxB2) 05/15/06
#counts   SARE_HTML_TITLE_SEX      0s/0h of 13287 corpus (7414s/5873h CT) 05/14/06
#max      SARE_HTML_TITLE_SEX      7s/0h of 6944 corpus (3188s/3756h CT) 05/19/04
#counts   SARE_HTML_TITLE_SEX      7s/0h of 42454 corpus (34336s/8118h FVGT) 05/15/06
#counts   SARE_HTML_TITLE_SEX      5s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
#max      SARE_HTML_TITLE_SEX      14s/0h of 54283 corpus (17106s/37177h JH-3.01) 02/13/05
#counts   SARE_HTML_TITLE_SEX      1s/0h of 105856 corpus (72598s/33258h ML) 05/14/06
#counts   SARE_HTML_TITLE_SEX      6s/0h of 23074 corpus (17350s/5724h MY) 05/14/06

########  ######################   ##################################################
#   <A> and HREF rules          
########  ######################   ##################################################

full      SARE_HTML_A_BODY         /(?!<body>\n\n<a href)<body>.{0,4}<a href/is
describe  SARE_HTML_A_BODY         Message body has very strange HTML sequence
score     SARE_HTML_A_BODY         0.742
#hist     SARE_HTML_A_BODY         Fred T: FR_BODY_AHREF
#counts   SARE_HTML_A_BODY         419s/2h of 333405 corpus (262498s/70907h RM) 05/12/06
#max      SARE_HTML_A_BODY         1527s/18h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_HTML_A_BODY         20s/1h of 56024 corpus (51686s/4338h AxB2) 05/15/06
#counts   SARE_HTML_A_BODY         2s/0h of 13287 corpus (7414s/5873h CT) 05/14/06
#max      SARE_HTML_A_BODY         92s/3h of 10826 corpus (6364s/4462h CT) 05/28/05
#counts   SARE_HTML_A_BODY         30s/0h of 42454 corpus (34336s/8118h FVGT) 05/15/06
#counts   SARE_HTML_A_BODY         359s/25h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
#counts   SARE_HTML_A_BODY         134s/0h of 105856 corpus (72598s/33258h ML) 05/14/06
#counts   SARE_HTML_A_BODY         10s/0h of 23074 corpus (17350s/5724h MY) 05/14/06
#max      SARE_HTML_A_BODY         50s/0h of 26326 corpus (22886s/3440h MY) 02/15/05

########  ######################   ##################################################
#   Spamsign character sets and fonts 
########  ######################   ##################################################

rawbody   SARE_HTML_FONT_EBEF      m'</body></font>'i
describe  SARE_HTML_FONT_EBEF      Message body has very strange HTML sequence
score     SARE_HTML_FONT_EBEF      0.658
#ham      SARE_HTML_FONT_EBEF      verified (1) 
#hist     SARE_HTML_FONT_EBEF      Fred T: FR_BODY_FONT
#counts   SARE_HTML_FONT_EBEF      0s/0h of 333405 corpus (262498s/70907h RM) 05/12/06
#max      SARE_HTML_FONT_EBEF      44s/1h of 281655 corpus (110173s/171482h RM) 05/05/05
#counts   SARE_HTML_FONT_EBEF      36s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
#max      SARE_HTML_FONT_EBEF      123s/0h of 38858 corpus (15368s/23490h JH-SA3.0rc1) 08/22/04
#counts   SARE_HTML_FONT_EBEF      1s/1h of 23074 corpus (17350s/5724h MY) 05/14/06
#max      SARE_HTML_FONT_EBEF      50s/1h of 31513 corpus (27912s/3601h MY) 03/09/05
#counts   SARE_HTML_FONT_EBEF      0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05

rawbody   SARE_HTML_FONT_SPL       /^\#[a-z0-9]{6}>/i    
describe  SARE_HTML_FONT_SPL       Message uses suspicious font size and/or color
score     SARE_HTML_FONT_SPL       0.650
#ham      SARE_HTML_FONT_SPL       verified (1)
#hist     SARE_HTML_FONT_SPL       Charles Gregory 
#overlap  SARE_HTML_FONT_SPL       Overlaps strongly with SARE_HTML_A_INV, though there's no regex overlap
#overlap  SARE_HTML_FONT_SPL       Overlaps strongly with SARE_HTML_FONT_SPLIT for obvious reasons, but not enough to warrant dropping one.
#counts   SARE_HTML_FONT_SPL       3s/0h of 333405 corpus (262498s/70907h RM) 05/12/06
#max      SARE_HTML_FONT_SPL       360s/0h of 85073 corpus (62478s/22595h RM) 06/07/04
#counts   SARE_HTML_FONT_SPL       5s/0h of 9991 corpus (5656s/4335h AxB) 05/14/06
#counts   SARE_HTML_FONT_SPL       1s/0h of 13287 corpus (7414s/5873h CT) 05/14/06
#max      SARE_HTML_FONT_SPL       14s/0h of 6944 corpus (3188s/3756h CT) 05/19/04
#counts   SARE_HTML_FONT_SPL       5s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
#max      SARE_HTML_FONT_SPL       53s/0h of 38858 corpus (15368s/23490h JH-SA3.0rc1) 08/22/04
#counts   SARE_HTML_FONT_SPL       3s/0h of 105856 corpus (72598s/33258h ML) 05/14/06
#counts   SARE_HTML_FONT_SPL       0s/0h of 23074 corpus (17350s/5724h MY) 05/14/06
#max      SARE_HTML_FONT_SPL       1s/0h of 47221 corpus (42968s/4253h MY) 06/18/05

########  ######################   ##################################################
#   Invalid or Suspicious URI Tests
########  ######################   ##################################################

rawbody   SARE_HTML_URI_ESCWWW     /(?:%77w%77|w%77%77|%77%77w)/i
describe  SARE_HTML_URI_ESCWWW     URI with obfuscated destination 
score     SARE_HTML_URI_ESCWWW     2.222
#hist     SARE_HTML_URI_ESCWWW     Fred T: FR_ESCAPE_WWW
#overlap  SARE_HTML_URI_ESCWWW     Overlaps with SARE_HTML_FSIZE_1ALL
#counts   SARE_HTML_URI_ESCWWW     2572s/0h of 333405 corpus (262498s/70907h RM) 05/12/06
#counts   SARE_HTML_URI_ESCWWW     16s/0h of 56024 corpus (51686s/4338h AxB2) 05/15/06
#counts   SARE_HTML_URI_ESCWWW     0s/0h of 13287 corpus (7414s/5873h CT) 05/14/06
#max      SARE_HTML_URI_ESCWWW     3s/0h of 6944 corpus (3188s/3756h CT) 05/19/04
#counts   SARE_HTML_URI_ESCWWW     117s/0h of 42454 corpus (34336s/8118h FVGT) 05/15/06
#counts   SARE_HTML_URI_ESCWWW     0s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
#max      SARE_HTML_URI_ESCWWW     16s/0h of 38858 corpus (15368s/23490h JH-SA3.0rc1) 08/22/04
#counts   SARE_HTML_URI_ESCWWW     70s/0h of 105856 corpus (72598s/33258h ML) 05/14/06
#counts   SARE_HTML_URI_ESCWWW     0s/0h of 47221 corpus (42968s/4253h MY) 06/18/05
#max      SARE_HTML_URI_ESCWWW     1s/0h of 26326 corpus (22886s/3440h MY) 02/15/05

uri       SARE_HTML_URI_LHOST30    m*^https?://[a-z0-9]{30}\.*i
describe  SARE_HTML_URI_LHOST30    Long unbroken string within URI
score     SARE_HTML_URI_LHOST30    1.666
#hist     SARE_HTML_URI_LHOST30    Fred T (originally 40,)
#ham      SARE_HTML_URI_LHOST30    30: www.rebuildingthevillagefoundation.org
#counts   SARE_HTML_URI_LHOST30    301s/0h of 333405 corpus (262498s/70907h RM) 05/12/06
#counts   SARE_HTML_URI_LHOST30    18s/0h of 56024 corpus (51686s/4338h AxB2) 05/15/06
#counts   SARE_HTML_URI_LHOST30    6s/0h of 13287 corpus (7414s/5873h CT) 05/14/06
#counts   SARE_HTML_URI_LHOST30    27s/0h of 42454 corpus (34336s/8118h FVGT) 05/15/06
#counts   SARE_HTML_URI_LHOST30    0s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
#max      SARE_HTML_URI_LHOST30    3s/0h of 38858 corpus (15368s/23490h JH-SA3.0rc1) 08/22/04
#counts   SARE_HTML_URI_LHOST30    128s/0h of 105856 corpus (72598s/33258h ML) 05/14/06
#counts   SARE_HTML_URI_LHOST30    5s/0h of 23074 corpus (17350s/5724h MY) 05/14/06
#max      SARE_HTML_URI_LHOST30    13s/0h of 57287 corpus (52272s/5015h MY) 09/22/05

uri       SARE_HTML_URI_LHOST31    m*^https?://[a-z0-9]{31,}\.*i
describe  SARE_HTML_URI_LHOST31    Long unbroken string within URI
score     SARE_HTML_URI_LHOST31    1.666
#hist     SARE_HTML_URI_LHOST31    Fred T (originally 40,)
#ham      SARE_HTML_URI_LHOST31    30: www.rebuildingthevillagefoundation.org
#counts   SARE_HTML_URI_LHOST31    776s/0h of 333405 corpus (262498s/70907h RM) 05/12/06
#max      SARE_HTML_URI_LHOST31    840s/15h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_HTML_URI_LHOST31    90s/0h of 56024 corpus (51686s/4338h AxB2) 05/15/06
#counts   SARE_HTML_URI_LHOST31    99s/0h of 13287 corpus (7414s/5873h CT) 05/14/06
#counts   SARE_HTML_URI_LHOST31    125s/0h of 42454 corpus (34336s/8118h FVGT) 05/15/06
#counts   SARE_HTML_URI_LHOST31    456s/0h of 105856 corpus (72598s/33258h ML) 05/14/06
#counts   SARE_HTML_URI_LHOST31    94s/0h of 23074 corpus (17350s/5724h MY) 05/14/06
#counts   SARE_HTML_URI_LHOST31    21s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05

uri       SARE_HTML_URI_NOMORE     m'/nomore\.htm'i
describe  SARE_HTML_URI_NOMORE     URI to page name which suggests spammer's page
score     SARE_HTML_URI_NOMORE     0.906
#ham      SARE_HTML_URI_NOMORE     http://www.afsc.org/nomore.htm; Student Peace Action Network (SPAN)
#counts   SARE_HTML_URI_NOMORE     2s/0h of 333405 corpus (262498s/70907h RM) 05/12/06
#max      SARE_HTML_URI_NOMORE     1200s/0h of 92209 corpus (74874s/17335h RM) 01/17/04
#counts   SARE_HTML_URI_NOMORE     7s/0h of 56024 corpus (51686s/4338h AxB2) 05/15/06
#counts   SARE_HTML_URI_NOMORE     0s/0h of 13287 corpus (7414s/5873h CT) 05/14/06
#max      SARE_HTML_URI_NOMORE     69s/0h of 10826 corpus (6364s/4462h CT) 05/28/05
#counts   SARE_HTML_URI_NOMORE     54s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
#max      SARE_HTML_URI_NOMORE     68s/0h of 38858 corpus (15368s/23490h JH-SA3.0rc1) 08/22/04
#counts   SARE_HTML_URI_NOMORE     0s/0h of 23074 corpus (17350s/5724h MY) 05/14/06
#max      SARE_HTML_URI_NOMORE     4s/0h of 26326 corpus (22886s/3440h MY) 02/15/05

uri       SARE_HTML_URI_OUTPHP     /\bout\.php/i
describe  SARE_HTML_URI_OUTPHP     text uri to unsubscribe link
score     SARE_HTML_URI_OUTPHP     0.907
#addsto   SARE_HTML_URI_OUTPHP     SARE_HTML_URI_OPTPHP
#ham      SARE_HTML_URI_OUTPHP     Bravenet ad attached to reply form email
#counts   SARE_HTML_URI_OUTPHP     80s/3h of 333405 corpus (262498s/70907h RM) 05/12/06
#max      SARE_HTML_URI_OUTPHP     144s/2h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_HTML_URI_OUTPHP     88s/0h of 56024 corpus (51686s/4338h AxB2) 05/15/06
#counts   SARE_HTML_URI_OUTPHP     10s/0h of 13287 corpus (7414s/5873h CT) 05/14/06
#max      SARE_HTML_URI_OUTPHP     21s/0h of 6944 corpus (3188s/3756h CT) 05/19/04
#counts   SARE_HTML_URI_OUTPHP     4s/0h of 42454 corpus (34336s/8118h FVGT) 05/15/06
#counts   SARE_HTML_URI_OUTPHP     13s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
#max      SARE_HTML_URI_OUTPHP     25s/0h of 38858 corpus (15368s/23490h JH-SA3.0rc1) 08/22/04
#counts   SARE_HTML_URI_OUTPHP     58s/0h of 105856 corpus (72598s/33258h ML) 05/14/06
#counts   SARE_HTML_URI_OUTPHP     0s/0h of 23074 corpus (17350s/5724h MY) 05/14/06
#max      SARE_HTML_URI_OUTPHP     17s/0h of 57287 corpus (52272s/5015h MY) 09/22/05

uri       SARE_HTML_URI_PARTID     m|/[\?\&]partid=|i
describe  SARE_HTML_URI_PARTID     Partner Id in URL
score     SARE_HTML_URI_PARTID     0.166
#hist     SARE_HTML_URI_PARTID     Loren Wilton <lwilton@earthlink.net>, Sat, 3 Apr 2004 20:29:32 -0800
#counts   SARE_HTML_URI_PARTID     0s/0h of 333405 corpus (262498s/70907h RM) 05/12/06
#max      SARE_HTML_URI_PARTID     1264s/0h of 85073 corpus (62478s/22595h RM) 06/07/04
#counts   SARE_HTML_URI_PARTID     0s/0h of 13287 corpus (7414s/5873h CT) 05/14/06
#max      SARE_HTML_URI_PARTID     37s/0h of 6944 corpus (3188s/3756h CT) 05/19/04
#counts   SARE_HTML_URI_PARTID     81s/6h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
#max      SARE_HTML_URI_PARTID     302s/0h of 38858 corpus (15368s/23490h JH-SA3.0rc1) 08/22/04
#counts   SARE_HTML_URI_PARTID     3s/0h of 23074 corpus (17350s/5724h MY) 05/14/06
#max      SARE_HTML_URI_PARTID     26s/0h of 47221 corpus (42968s/4253h MY) 06/18/05

########  ######################   ##################################################
#  <!-- Comment tag tests
########  ######################   ##################################################

meta      SARE_HTML_CMT_CNTR       __SARE_HTML_CMT_CNTR
describe  SARE_HTML_CMT_CNTR       Message has a center followed by a comment
score     SARE_HTML_CMT_CNTR       0.676
#hist     SARE_HTML_CMT_CNTR       Carl F: CRM_CENTER_COM
#ham      SARE_HTML_CMT_CNTR       Strategic Developer <strategicdeveloper@newsletter.infoworld.com>, Thursday, January 27, 2005, 10:57:37 AM  
#counts   SARE_HTML_CMT_CNTR       9s/2h of 333405 corpus (262498s/70907h RM) 05/12/06
#max      SARE_HTML_CMT_CNTR       173s/7h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_HTML_CMT_CNTR       1s/0h of 42454 corpus (34336s/8118h FVGT) 05/15/06
#counts   SARE_HTML_CMT_CNTR       53s/0h of 54283 corpus (17106s/37177h JH-3.01) 02/13/05
#max      SARE_HTML_CMT_CNTR       196s/0h of 32260 corpus (8983s/23277h JH) 05/14/04
#counts   SARE_HTML_CMT_CNTR       2s/0h of 105856 corpus (72598s/33258h ML) 05/14/06
#counts   SARE_HTML_CMT_CNTR       21s/1h of 23074 corpus (17350s/5724h MY) 05/14/06
#counts   SARE_HTML_CMT_CNTR       1s/0h of 56024 corpus (51686s/4338h AxB2) 05/15/06
#counts   SARE_HTML_CMT_CNTR       0s/0h of 10826 corpus (6364s/4462h CT) 05/28/05
#max      SARE_HTML_CMT_CNTR       7s/0h of 6944 corpus (3188s/3756h CT) 05/19/04

########  ######################   ##################################################
#   Image tag tests
########  ######################   ##################################################

rawbody   SARE_HTML_IMG_2AT        /IMG\s*SRC\s*=s*"cid:part1\.\d{8}.\d{8}\@[a-z]+\@[\w\.]+"/is
describe  SARE_HTML_IMG_2AT        strange internal image link
score     SARE_HTML_IMG_2AT        1.216
#hist     SARE_HTML_IMG_2AT        Loren Wilton: LW_DOUBLE_AT
#hist     SARE_HTML_IMG_2AT        Apr 2 2005, Bob Menschel, Added spaces around "="
#hist     SARE_HTML_IMG_2AT        Apr 16 2005, Bob Menschel, replaced spaces with \s
#counts   SARE_HTML_IMG_2AT        328s/13h of 333405 corpus (262498s/70907h RM) 05/12/06
#max      SARE_HTML_IMG_2AT        3648s/4h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_HTML_IMG_2AT        222s/0h of 9991 corpus (5656s/4335h AxB) 05/14/06
#counts   SARE_HTML_IMG_2AT        69s/0h of 13287 corpus (7414s/5873h CT) 05/14/06
#counts   SARE_HTML_IMG_2AT        828s/1h of 42454 corpus (34336s/8118h FVGT) 05/15/06
#counts   SARE_HTML_IMG_2AT        57s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
#counts   SARE_HTML_IMG_2AT        280s/0h of 105856 corpus (72598s/33258h ML) 05/14/06
#counts   SARE_HTML_IMG_2AT        0s/0h of 23074 corpus (17350s/5724h MY) 05/14/06
#max      SARE_HTML_IMG_2AT        105s/0h of 47221 corpus (42968s/4253h MY) 06/18/05

########  ######################   ##################################################
#  <tag ... ALT= ...> tag tests
########  ######################   ##################################################

########  ######################   ##################################################
#   Javascript and object tests     
########  ######################   ##################################################

full      SARE_HTML_IMG_ONLY       m'<(?:html|body).{1,200}<a.{12,145}<img.{11,200}</(?:body|html)>'is
describe  SARE_HTML_IMG_ONLY       Short HTML msg, IMG and A HREF, maybe naught else
score     SARE_HTML_IMG_ONLY       1.666
#ham      SARE_HTML_IMG_ONLY       Verified (image-only ham)
#hist     SARE_HTML_IMG_ONLY       Originally Fred T: FVGT_m_IMAGE_ONLY
#hist     SARE_HTML_IMG_ONLY       Enhanced May 29 2004 by Bob Menschel, incorporate all tests in one regex
#ham      SARE_HTML_IMG_ONLY       5: Oct 2002 Yahoo webmail with automatically inserted FAULTY flamingtext.com advertisement
#overlap  SARE_HTML_IMG_ONLY       Rules that completely overlap this one: SARE_HTML_PILL3, SARE_HTML_PILL4
#counts   SARE_HTML_IMG_ONLY       14904s/16h of 333405 corpus (262498s/70907h RM) 05/12/06
#counts   SARE_HTML_IMG_ONLY       70s/1h of 56024 corpus (51686s/4338h AxB2) 05/15/06
#counts   SARE_HTML_IMG_ONLY       154s/0h of 13287 corpus (7414s/5873h CT) 05/14/06
#counts   SARE_HTML_IMG_ONLY       4131s/6h of 42454 corpus (34336s/8118h FVGT) 05/15/06
#counts   SARE_HTML_IMG_ONLY       261s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
#max      SARE_HTML_IMG_ONLY       553s/0h of 38858 corpus (15368s/23490h JH-SA3.0rc1) 08/22/04
#counts   SARE_HTML_IMG_ONLY       4730s/0h of 105856 corpus (72598s/33258h ML) 05/14/06
#counts   SARE_HTML_IMG_ONLY       7s/7h of 23074 corpus (17350s/5724h MY) 05/14/06
#max      SARE_HTML_IMG_ONLY       141s/0h of 26326 corpus (22886s/3440h MY) 02/15/05

rawbody   SARE_HTML_JVS_FLASH      m'codebase="https://download\.macromedia\.com/pub/shockwave'i
describe  SARE_HTML_JVS_FLASH      Tries to load flash animation 
score     SARE_HTML_JVS_FLASH      1.246
#ham      SARE_HTML_JVS_FLASH      verified (1) cbs.marketwatch.com
#hist     SARE_HTML_JVS_FLASH      Mike Kuentz <JunkEmail@rapidigm.com>
#counts   SARE_HTML_JVS_FLASH      444s/3h of 333405 corpus (262498s/70907h RM) 05/12/06
#counts   SARE_HTML_JVS_FLASH      33s/0h of 56024 corpus (51686s/4338h AxB2) 05/15/06
#counts   SARE_HTML_JVS_FLASH      0s/0h of 13287 corpus (7414s/5873h CT) 05/14/06
#max      SARE_HTML_JVS_FLASH      4s/0h of 11260 corpus (6568s/4692h CT) 06/17/05
#counts   SARE_HTML_JVS_FLASH      0s/0h of 54283 corpus (17106s/37177h JH-3.01) 02/13/05
#max      SARE_HTML_JVS_FLASH      7s/0h of 29366 corpus (5882s/23484h JH) 07/23/04 TM2 SA3.0-pre2
#counts   SARE_HTML_JVS_FLASH      53s/0h of 105856 corpus (72598s/33258h ML) 05/14/06
#counts   SARE_HTML_JVS_FLASH      0s/0h of 23074 corpus (17350s/5724h MY) 05/14/06
#max      SARE_HTML_JVS_FLASH      28s/0h of 47221 corpus (42968s/4253h MY) 06/18/05

########  ######################   ##################################################
#  Obviously invalid html tag
########  ######################   ##################################################

header    __CT_TEXT_PLAIN          Content-Type =~ /^text\/plain\b/i
rawbody   __SARE_HTML_INV_TAG      /\w<\!\w{18,60}>\w/i
rawbody   __SARE_HTML_INV_TAG2     m'\w</?(?!(?:blockquote|optiongroup|plaintext|fontfamily|underline|cf.+))[a-z]{9,17}>\w'
rawbody   __SARE_HTML_INV_TAG3     m'\w<[/!]?(?!cf.+)\w{11,20}>\w'i
rawbody   __SARE_HTML_INV_TAG4     m'\w(?!</?cf.{1,8}>)<[/!]?[bcdfghjklmnpqrstvwxz]{5,9}>\w'i

meta      SARE_HTML_INV_TAG        ( __SARE_HTML_INV_TAG || __SARE_HTML_INV_TAG2 || __SARE_HTML_INV_TAG3 || __SARE_HTML_INV_TAG4 ) && !__CT_TEXT_PLAIN
describe  SARE_HTML_INV_TAG        Message contains invalid HTML tag
score     SARE_HTML_INV_TAG        2.222
#ham      SARE_HTML_INV_TAG        Monotone source code included within body of email
#hist     SARE_HTML_INV_TAG        Combined three invalid-tag rules into one, added \w front and back, to test for
#hist     SARE_HTML_INV_TAG        obfuscation of surrounding text, added tests against __CT_TEXT_PLAIN to give 
#hist     SARE_HTML_INV_TAG        higher scores to HTML email than to plain text email. Enhancements due to 
#hist     SARE_HTML_INV_TAG        ideas suggested by Jesse Houwing, Nicolas Riendeau, and Bob Menschel
#counts   SARE_HTML_INV_TAG        36s/0h of 333405 corpus (262498s/70907h RM) 05/12/06
#max      SARE_HTML_INV_TAG        5650s/0h of 114422 corpus (81069s/33353h RM) 01/16/05
#counts   SARE_HTML_INV_TAG        8s/0h of 13287 corpus (7414s/5873h CT) 05/14/06
#max      SARE_HTML_INV_TAG        66s/0h of 10826 corpus (6364s/4462h CT) 05/28/05
#counts   SARE_HTML_INV_TAG        21s/0h of 42454 corpus (34336s/8118h FVGT) 05/15/06
#counts   SARE_HTML_INV_TAG        386s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
#max      SARE_HTML_INV_TAG        930s/0h of 38766 corpus (15284s/23482h JH-SA3.0rc1) 09/03/04
#counts   SARE_HTML_INV_TAG        17s/0h of 105856 corpus (72598s/33258h ML) 05/14/06
#counts   SARE_HTML_INV_TAG        0s/0h of 26326 corpus (22886s/3440h MY) 02/15/05
#max      SARE_HTML_INV_TAG        952s/0h of 19469 corpus (16883s/2586h MY) 09/03/04

########  ######################   ##################################################
#   Paragraphs, breaks, and spacings
########  ######################   ##################################################

########  ######################   ##################################################
#  Suspicious tag combinations
########  ######################   ##################################################

rawbody   SARE_HTML_CNTR_TBL       /<center>\s*<table>/im
describe  SARE_HTML_CNTR_TBL       Contains centred table
score     SARE_HTML_CNTR_TBL       1.666
#ham      SARE_HTML_CNTR_TBL       verified (1) 
#hist     SARE_HTML_CNTR_TBL       Tim Jackson, May 25 2005
#counts   SARE_HTML_CNTR_TBL       745s/0h of 333405 corpus (262498s/70907h RM) 05/12/06
#counts   SARE_HTML_CNTR_TBL       1188s/2h of 56024 corpus (51686s/4338h AxB2) 05/15/06
#counts   SARE_HTML_CNTR_TBL       0s/0h of 13287 corpus (7414s/5873h CT) 05/14/06
#max      SARE_HTML_CNTR_TBL       3s/0h of 10826 corpus (6364s/4462h CT) 05/28/05
#counts   SARE_HTML_CNTR_TBL       27s/1h of 42454 corpus (34336s/8118h FVGT) 05/15/06
#counts   SARE_HTML_CNTR_TBL       0s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
#counts   SARE_HTML_CNTR_TBL       2s/0h of 105856 corpus (72598s/33258h ML) 05/14/06
#counts   SARE_HTML_CNTR_TBL       32s/0h of 23074 corpus (17350s/5724h MY) 05/14/06
#max      SARE_HTML_CNTR_TBL       57s/0h of 57287 corpus (52272s/5015h MY) 09/22/05

rawbody   __SARE_HTML_SINGLET1     /> [a-z] </i
rawbody   __SARE_HTML_SINGLET2     />[a-z]</i
meta      SARE_HTML_SINGLETS       __SARE_HTML_SINGLET1 && __SARE_HTML_SINGLET2
describe  SARE_HTML_SINGLETS       spam pattern in HTML email
score     SARE_HTML_SINGLETS       1.666
#hist     SARE_HTML_SINGLETS       Robert Brooks, March 2006
#ham      SARE_HTML_SINGLETS       verified (amateur webmaster sample page attached to email)
#counts   SARE_HTML_SINGLETS       26498s/3h of 333405 corpus (262498s/70907h RM) 05/12/06
#counts   SARE_HTML_SINGLETS       3660s/2h of 55981 corpus (51658s/4323h AxB2) 05/15/06
#counts   SARE_HTML_SINGLETS       130s/0h of 13285 corpus (7413s/5872h CT) 05/14/06
#counts   SARE_HTML_SINGLETS       2016s/0h of 155481 corpus (103930s/51551h DOC) 05/15/06
#counts   SARE_HTML_SINGLETS       65s/2h of 42253 corpus (34139s/8114h FVGT) 05/15/06
#counts   SARE_HTML_SINGLETS       5798s/1h of 106183 corpus (72941s/33242h ML) 05/14/06
#counts   SARE_HTML_SINGLETS       20s/1h of 22939 corpus (17232s/5707h MY) 05/14/06

########  ######################   ##################################################
#  Useless tags (tag structures that do nothing) 
#  Largely submitted by Matt Yackley, with contributions by 
#  Carl Friend, Jennifer Wheeler, Scott Sprunger, Larry Gilson
########  ######################   ##################################################

rawbody   SARE_HTML_USL_FONT       m'^<FONT[^>]{0,20}></FONT><'
describe  SARE_HTML_USL_FONT       Another spam attempt
score     SARE_HTML_USL_FONT       0.797
#hist     SARE_HTML_USL_FONT       Loren Wilton Apr 11 2005
#counts   SARE_HTML_USL_FONT       54s/2h of 333405 corpus (262498s/70907h RM) 05/12/06
#max      SARE_HTML_USL_FONT       5192s/1h of 269462 corpus (128310s/141152h RM) 06/17/05
#counts   SARE_HTML_USL_FONT       0s/0h of 13287 corpus (7414s/5873h CT) 05/14/06
#max      SARE_HTML_USL_FONT       1s/0h of 10826 corpus (6364s/4462h CT) 05/28/05
#counts   SARE_HTML_USL_FONT       0s/0h of 42454 corpus (34336s/8118h FVGT) 05/15/06
#max      SARE_HTML_USL_FONT       9s/0h of 6804 corpus (1336s/5468h ft) 06/17/05
#counts   SARE_HTML_USL_FONT       7s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
#counts   SARE_HTML_USL_FONT       32s/0h of 105856 corpus (72598s/33258h ML) 05/14/06
#counts   SARE_HTML_USL_FONT       81s/1h of 23074 corpus (17350s/5724h MY) 05/14/06
#max      SARE_HTML_USL_FONT       1047s/1h of 57287 corpus (52272s/5015h MY) 09/22/05

rawbody   SARE_HTML_USL_OBFU       m'\w<(\w+)(?: [^>]*)?></\1[^>]*>\w'
describe  SARE_HTML_USL_OBFU       Message body has very strange HTML sequence
score     SARE_HTML_USL_OBFU       1.666
#match    SARE_HTML_USL_OBFU       partialword<tag></tag>restofword
#hist     SARE_HTML_USL_OBFU       Created by Bob Menschel Aug 12 2004
#counts   SARE_HTML_USL_OBFU       393s/3h of 333405 corpus (262498s/70907h RM) 05/12/06
#max      SARE_HTML_USL_OBFU       520s/6h of 196718 corpus (96193s/100525h RM) 02/22/05
#counts   SARE_HTML_USL_OBFU       14s/0h of 9991 corpus (5656s/4335h AxB) 05/14/06
#counts   SARE_HTML_USL_OBFU       0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05
#max      SARE_HTML_USL_OBFU       16s/0h of 10826 corpus (6364s/4462h CT) 05/28/05
#counts   SARE_HTML_USL_OBFU       88s/0h of 42454 corpus (34336s/8118h FVGT) 05/15/06
#counts   SARE_HTML_USL_OBFU       298s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
#max      SARE_HTML_USL_OBFU       457s/0h of 54283 corpus (17106s/37177h JH-3.01) 02/13/05
#counts   SARE_HTML_USL_OBFU       111s/0h of 105856 corpus (72598s/33258h ML) 05/14/06
#counts   SARE_HTML_USL_OBFU       21s/0h of 23074 corpus (17350s/5724h MY) 05/14/06
#max      SARE_HTML_USL_OBFU       148s/0h of 17145 corpus (14677s/2468h MY) 08/12/04

########  ######################   ##################################################
#   Miscellaneous tag tests
########  ######################   ##################################################

# EOF


# SARE HTML Ruleset for SpamAssassin - ruleset 2
# Version: 01.03.10
# Created: 2004-03-31 
# Modified: 2006-06-03
# Usage instructions, documentation, and change history in 70_sare_html0.cf 

#@@# Revision History:  Full Revision History stored in 70_sare_html.log
#@@# 01.03.09: May ?? 2006
#@@#           Minor score tweaks based on recent mass-checks
#@@#           Moved file 0 to file 2:   SARE_HTML_EHTML_OBFU
#@@#           Moved file 0 to file 2:   SARE_HTML_HEAD_AFFIL
#@@#           Moved file 0 to file 2:   SARE_HTML_LEAKTHRU1
#@@#           Moved file 0 to file 2:   SARE_HTML_LEAKTHRU2
#@@#           Moved file 0 to file 2:   SARE_HTML_ONE_LINE3
#@@#           Moved file 0 to file 2:   SARE_HTML_POB1200
#@@#           Moved file 0 to file 2:   SARE_HTML_URI_HIDADD
#@@#           Moved file 0 to file 2:   SARE_HTML_URI_LOGOGEN
#@@#           Moved file 0 to file 2:   SARE_HTML_URI_OFF
#@@#           Moved file 0 to file 2:   SARE_HTML_USL_B7
#@@#           Moved file 0 to file 2:   SARE_HTML_USL_B9
#@@#           Moved file 0 to file 2:   SARE_PHISH_HTML_01
#@@# 01.03.10: June 3 2006
#@@#           Minor score tweaks based on recent mass-checks
#@@#           Moved file 1 to 2:   SARE_HTML_BR_MANY
#@@#           Moved file 1 to 2:   SARE_HTML_ONE_LINE2
#@@#           Moved file 1 to 2:   SARE_HTML_URI_OC

# License: Artistic - see http://www.rulesemporium.com/license.txt 
# Current Maintainer: Bob Menschel - RMSA@Menschel.net
# Current Home: http://www.rulesemporium.com/rules/70_sare_html2.cf 
#
########  ######################   ##################################################

rawbody   __SARE_HTML_HAS_A        eval:html_tag_exists('a')
rawbody   __SARE_HTML_HAS_BR       eval:html_tag_exists('br')
rawbody   __SARE_HTML_HAS_DIV      eval:html_tag_exists('div')
rawbody   __SARE_HTML_HAS_FONT     eval:html_tag_exists('font')
rawbody   __SARE_HTML_HAS_IMG      eval:html_tag_exists('img')
rawbody   __SARE_HTML_HAS_P        eval:html_tag_exists('p')
rawbody   __SARE_HTML_HAS_PRE      eval:html_tag_exists('pre')
rawbody   __SARE_HTML_HAS_TITLE    eval:html_tag_exists('title')

rawbody   __SARE_HTML_HBODY        m'<html><body>'i
rawbody   __SARE_HTML_BEHTML       m'<body></html>'i
rawbody   __SARE_HTML_BEHTML2      m'^</?body></html>'i
rawbody   __SARE_HTML_EFONT        m'^</font>'i
rawbody   __SARE_HTML_EHEB         m'^</html></body>'i
rawbody   __SARE_HTML_CMT_CNTR     /<center><!--/

########  ######################   ##################################################
#   <HTML> and <BODY> tag spamsign
########  ######################   ##################################################

rawbody   SARE_HTML_EHTML_OBFU     m'<\s*/\s+(?!html)[HTmL\s]{4,}>'i
describe  SARE_HTML_EHTML_OBFU     Phoney tag
score     SARE_HTML_EHTML_OBFU     1.111
#stype    SARE_HTML_EHTML_OBFU     spamp
#hist     SARE_HTML_EHTML_OBFU     Loren Wilton, June 2005
#counts   SARE_HTML_EHTML_OBFU     0s/0h of 333405 corpus (262498s/70907h RM) 05/12/06
#max      SARE_HTML_EHTML_OBFU     30s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
#counts   SARE_HTML_EHTML_OBFU     0s/0h of 11260 corpus (6568s/4692h CT) 06/17/05
#counts   SARE_HTML_EHTML_OBFU     0s/0h of 6804 corpus (1336s/5468h ft) 06/17/05
#counts   SARE_HTML_EHTML_OBFU     21s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
#counts   SARE_HTML_EHTML_OBFU     0s/0h of 23068 corpus (17346s/5722h MY) 05/14/06
#max      SARE_HTML_EHTML_OBFU     34s/0h of 57287 corpus (52272s/5015h MY) 09/22/05

########  ######################   ##################################################
#   Spamsign character sets and fonts 
########  ######################   ##################################################

rawbody   SARE_HTML_COLOR_D        /(?:style="?|<style[^>]*>)[^>"]*[^-]color\s*:\s*rgb\(\s*(?:100|9[0-9]|8[6-9])\s*%\s*,\s*(?:100|9[0-9]|8[6-9])\s*%\s*,\s*(?:100|9[0-9]|8[6-9])\s*%\s*\)[^>]*>/i
describe  SARE_HTML_COLOR_D        BAD STYLE: color: too light (rgb(%))
score     SARE_HTML_COLOR_D        0.100
#hist     SARE_HTML_COLOR_D        From Jesse Houwing May 14 2004
#counts   SARE_HTML_COLOR_D        0s/0h of 98435 corpus (76828s/21607h RM) 05/14/04
#counts   SARE_HTML_COLOR_D        0s/0h of 29365 corpus (5882s/23483h JH) 08/14/04 TM2 SA3.0-pre2

rawbody   SARE_HTML_POB1200        /width="599" bgColor="\#9999FF"/i
describe  SARE_HTML_POB1200        Used by POB1200 Orangestad spammer
score     SARE_HTML_POB1200        1.666
#stype    SARE_HTML_POB1200        spamp
#hist     SARE_HTML_POB1200        Jennifer Wheeler <jennifer.sare@nxtek.net> May 17 2004
#counts   SARE_HTML_POB1200        0s/0h of 196681 corpus (96193s/100488h RM) 02/22/05
#max      SARE_HTML_POB1200        414s/0h of 114422 corpus (81069s/33353h RM) 01/16/05
#counts   SARE_HTML_POB1200        1s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
#max      SARE_HTML_POB1200        18s/0h of 38858 corpus (15368s/23490h JH-SA3.0rc1) 08/22/04
#counts   SARE_HTML_POB1200        0s/0h of 57287 corpus (52272s/5015h MY) 09/22/05
#max      SARE_HTML_POB1200        42s/0h of 18153 corpus (15872s/2281h MY) 05/18/04
#counts   SARE_HTML_POB1200        0s/0h of 10826 corpus (6364s/4462h CT) 05/28/05

########  ######################   ##################################################
#  <FRAME> Tag Tests
########  ######################   ##################################################

rawbody   SARE_HTML_NOFRAMES       /<frame><noframes>\w*<\/noframes><\/frame>/i
describe  SARE_HTML_NOFRAMES       Body appears to hide anti-anti-spam text in frame
score     SARE_HTML_NOFRAMES       1.000
#counts   SARE_HTML_NOFRAMES       0s/0h of 98542 corpus (76935s/21607h RM) 05/12/04
#max      SARE_HTML_NOFRAMES       96 spam, 0 ham, Sep 5 2003
#counts   SARE_HTML_NOFRAMES       0s/0h of 29365 corpus (5882s/23483h JH) 08/14/04 TM2 SA3.0-pre2

########  ######################   ##################################################
#   Invalid or Suspicious URI Tests
########  ######################   ##################################################

rawbody   SARE_HTML_URI_GBYE       />Good Bye<\/a>/i
describe  SARE_HTML_URI_GBYE       text has URL to spammer's unsubscribe link
score     SARE_HTML_URI_GBYE       0.100
#counts   SARE_HTML_URI_GBYE       0s/0h of 98542 corpus (76935s/21607h RM) 05/12/04
#counts   SARE_HTML_URI_GBYE       0s/0h of 29365 corpus (5882s/23483h JH) 08/14/04 TM2 SA3.0-pre2

#overlap  SARE_HTML_URI_HIDADD     Overlaps completely within SARE_HTML_P_BREAK 2004-06-11
rawbody   SARE_HTML_URI_HIDADD     /(?:\&\~c\&o\&m|\&\~n\&e\&t)/i
describe  SARE_HTML_URI_HIDADD     URI with obfuscated destination 
score     SARE_HTML_URI_HIDADD     1.666
#stype    SARE_HTML_URI_HIDADD     spamp
#hist     SARE_HTML_URI_HIDADD     Fred T: FR_HIDDEN_ADDY
#overlap  SARE_HTML_URI_HIDADD     Overlaps completely within SARE_HTML_P_BREAK 2004-06-11
#counts   SARE_HTML_URI_HIDADD     0s/0h of 333405 corpus (262498s/70907h RM) 05/12/06
#max      SARE_HTML_URI_HIDADD     817s/0h of 400504 corpus (178155s/222349h RM) 03/31/05
#counts   SARE_HTML_URI_HIDADD     0s/0h of 54283 corpus (17106s/37177h JH-3.01) 02/13/05
#max      SARE_HTML_URI_HIDADD     2s/0h of 32260 corpus (8983s/23277h JH) 05/14/04
#counts   SARE_HTML_URI_HIDADD     0s/0h of 23068 corpus (17346s/5722h MY) 05/14/06
#max      SARE_HTML_URI_HIDADD     1s/0h of 47221 corpus (42968s/4253h MY) 06/18/05
#counts   SARE_HTML_URI_HIDADD     0s/0h of 10629 corpus (5847s/4782h CT) 09/18/05

uri       SARE_HTML_URI_HIDE1      /:ac=[A-Z,a-z,0-9,@,!,;]+/
describe  SARE_HTML_URI_HIDE1      URI attempts to hide destination domain
score     SARE_HTML_URI_HIDE1      0.100
#counts   SARE_HTML_URI_HIDE1      0s/0h of 98542 corpus (76935s/21607h RM) 05/12/04
#counts   SARE_HTML_URI_HIDE1      0s/0h of 29365 corpus (5882s/23483h JH) 08/14/04 TM2 SA3.0-pre2

uri       SARE_HTML_URI_LOGOGEN    m{/logogen\.img\?}i
score     SARE_HTML_URI_LOGOGEN    1.666
describe  SARE_HTML_URI_LOGOGEN    Uses some logo generation software
#hist     SARE_HTML_URI_LOGOGEN    Jesse Houwing, Aug 19 2004
#counts   SARE_HTML_URI_LOGOGEN    0s/0h of 175738 corpus (98979s/76759h RM) 02/14/05
#max      SARE_HTML_URI_LOGOGEN    6s/0h of 65858 corpus (40621s/25237h RM) 08/19/04
#counts   SARE_HTML_URI_LOGOGEN    319s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
#max      SARE_HTML_URI_LOGOGEN    453s/0h of 54283 corpus (17106s/37177h JH-3.01) 02/13/05
#counts   SARE_HTML_URI_LOGOGEN    0s/0h of 47221 corpus (42968s/4253h MY) 06/18/05
#max      SARE_HTML_URI_LOGOGEN    48s/0h of 18647 corpus (16116s/2531h MY) 08/25/04
#counts   SARE_HTML_URI_LOGOGEN    0s/0h of 11260 corpus (6568s/4692h CT) 06/17/05
#max      SARE_HTML_URI_LOGOGEN    7s/0h of 10826 corpus (6364s/4462h CT) 05/28/05

uri       SARE_HTML_URI_OC         /\?oc=\d{4,10}/
describe  SARE_HTML_URI_OC         Possible spammer sign in URL
score     SARE_HTML_URI_OC         1.666
#hist     SARE_HTML_URI_OC         LW_URI_OC
#counts   SARE_HTML_URI_OC         0s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#max      SARE_HTML_URI_OC         440s/0h of 89461 corpus (67464s/21997h RM) 05/29/04
#counts   SARE_HTML_URI_OC         0s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
#max      SARE_HTML_URI_OC         17s/0h of 38858 corpus (15368s/23490h JH-SA3.0rc1) 08/22/04
#counts   SARE_HTML_URI_OC         0s/0h of 26326 corpus (22886s/3440h MY) 02/15/05
#max      SARE_HTML_URI_OC         85s/0h of 13454 corpus (11339s/2115h MY) 06/02/04

uri       SARE_HTML_URI_OFF        /http.{5,35}\boff\.(?:htm|html|php|asp|pl|cgi|jsp)\b/i
describe  SARE_HTML_URI_OFF        URI to page name which suggests spammer's page
score     SARE_HTML_URI_OFF        2.222
#hist     SARE_HTML_URI_OFF        FR_PAGE_OFF
#counts   SARE_HTML_URI_OFF        0s/0h of 333405 corpus (262498s/70907h RM) 05/12/06
#max      SARE_HTML_URI_OFF        2619s/0h of 109180 corpus (88746s/20434h RM) 04/09/04
#counts   SARE_HTML_URI_OFF        2s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
#max      SARE_HTML_URI_OFF        89s/0h of 32260 corpus (8983s/23277h JH) 05/14/04
#counts   SARE_HTML_URI_OFF        0s/0h of 26326 corpus (22886s/3440h MY) 02/15/05
#counts   SARE_HTML_URI_OFF        0s/0h of 10826 corpus (6364s/4462h CT) 05/28/05
#max      SARE_HTML_URI_OFF        39s/0h of 6944 corpus (3188s/3756h CT) 05/19/04

########  ######################   ##################################################
#   Header tags
########  ######################   ##################################################

rawbody   SARE_HTML_HEAD_AFFIL     /\<h[0-9]\>.{2,30}\/.{1,3}affiliate.{1,20}\<\/h[0-9]\>/i
describe  SARE_HTML_HEAD_AFFIL     Affiliate in BOLD
score     SARE_HTML_HEAD_AFFIL     0.744
#hist     SARE_HTML_HEAD_AFFIL     Matt Yackley, Apr 15 2005
#counts   SARE_HTML_HEAD_AFFIL     0s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
#max      SARE_HTML_HEAD_AFFIL     23s/0h of 292246 corpus (119174s/173072h RM) 04/15/05
#counts   SARE_HTML_HEAD_AFFIL     0s/0h of 13290 corpus (7418s/5872h CT) 05/14/06
#max      SARE_HTML_HEAD_AFFIL     1s/0h of 10826 corpus (6364s/4462h CT) 05/28/05
#counts   SARE_HTML_HEAD_AFFIL     0s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
#counts   SARE_HTML_HEAD_AFFIL     0s/0h of 23068 corpus (17346s/5722h MY) 05/14/06
#max      SARE_HTML_HEAD_AFFIL     10s/0h of 47221 corpus (42968s/4253h MY) 06/18/05

########  ######################   ##################################################
#  Suspicious tag combinations
########  ######################   ##################################################

rawbody   SARE_HTML_ONE_LINE2      m'<body><p><a href="http://\w+\.\w+\.info/\?[\w\.]+"><IMG SRC="cid:[\w\@\.]+" border="0" ALT=""></a>'
describe  SARE_HTML_ONE_LINE2      standard spam formatting
score     SARE_HTML_ONE_LINE2      1.111
#stype    SARE_HTML_ONE_LINE2      spamp 
#hist     SARE_HTML_ONE_LINE2      Loren Wilton, LW_SINGLELINE4 Sep 5 2004
#counts   SARE_HTML_ONE_LINE2      0s/0h of 281655 corpus (110173s/171482h RM) 05/05/05
#max      SARE_HTML_ONE_LINE2      22s/0h of 114422 corpus (81069s/33353h RM) 01/16/05
#counts   SARE_HTML_ONE_LINE2      1s/0h of 54283 corpus (17106s/37177h JH-3.01) 02/13/05
#counts   SARE_HTML_ONE_LINE2      0s/0h of 57287 corpus (52272s/5015h MY) 09/22/05
#max      SARE_HTML_ONE_LINE2      5s/0h of 26326 corpus (22886s/3440h MY) 02/15/05

full      SARE_HTML_ONE_LINE3      m'\n<html><body>\n<center>.{0,140}</center>\n</body></html>\n'
describe  SARE_HTML_ONE_LINE3      Another single-line centered HTML message
score     SARE_HTML_ONE_LINE3      1.256
#hist     SARE_HTML_ONE_LINE3      Loren Wilton: LW_SINGLELINE4
#counts   SARE_HTML_ONE_LINE3      0s/0h of 281271 corpus (109792s/171479h RM) 05/05/05
#max      SARE_HTML_ONE_LINE3      64s/0h of 70245 corpus (42816s/27429h RM) 10/02/04
#counts   SARE_HTML_ONE_LINE3      61s/0h of 54969 corpus (17793s/37176h JH-3.01) 03/13/05
#counts   SARE_HTML_ONE_LINE3      0s/0h of 19447 corpus (16862s/2585h MY) 10/06/04
#counts   SARE_HTML_ONE_LINE3      0s/0h of 11260 corpus (6568s/4692h CT) 06/17/05
#max      SARE_HTML_ONE_LINE3      1s/0h of 10826 corpus (6364s/4462h CT) 05/28/05

rawbody   SARE_HTML_LEAKTHRU1      m'^<BODY><p><(\w+)></(?:\1)><A href=\"[^"]+\"><(\w+)></(?:\2)>$'
score     SARE_HTML_LEAKTHRU1      1.111
#stype    SARE_HTML_LEAKTHRU1      spamp
#hist     SARE_HTML_LEAKTHRU1      Loren Wilton:  LW_LEAKTHRU
describe  SARE_HTML_LEAKTHRU1      Another image-only spam
#counts   SARE_HTML_LEAKTHRU1      0s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
#max      SARE_HTML_LEAKTHRU1      72s/0h of 196642 corpus (96193s/100449h RM) 02/22/05
#counts   SARE_HTML_LEAKTHRU1      0s/0h of 54969 corpus (17793s/37176h JH-3.01) 03/13/05
#counts   SARE_HTML_LEAKTHRU1      0s/0h of 23068 corpus (17346s/5722h MY) 05/14/06
#max      SARE_HTML_LEAKTHRU1      22s/0h of 31513 corpus (27912s/3601h MY) 03/09/05
#counts   SARE_HTML_LEAKTHRU1      0s/0h of 11260 corpus (6568s/4692h CT) 06/17/05

rawbody   SARE_HTML_LEAKTHRU2      m'^<BODY><p><(\w+)(?:\s[\w\=]+)?></(?:\1)><A href=\"[^"]+\"><(\w+)(?:\s[\w\=]+)?></(?:\2)>$'
score     SARE_HTML_LEAKTHRU2      1.666
#stype    SARE_HTML_LEAKTHRU2      spamp
#hist     SARE_HTML_LEAKTHRU2      Loren Wilton:  LW_LEAKTHRU1
describe  SARE_HTML_LEAKTHRU2      Another image-only spam
#counts   SARE_HTML_LEAKTHRU2      0s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
#max      SARE_HTML_LEAKTHRU2      178s/0h of 283600 corpus (129945s/153655h RM) 03/08/05
#counts   SARE_HTML_LEAKTHRU2      0s/0h of 54969 corpus (17793s/37176h JH-3.01) 03/13/05
#counts   SARE_HTML_LEAKTHRU2      0s/0h of 23068 corpus (17346s/5722h MY) 05/14/06
#max      SARE_HTML_LEAKTHRU2      48s/0h of 31513 corpus (27912s/3601h MY) 03/09/05
#counts   SARE_HTML_LEAKTHRU2      0s/0h of 11260 corpus (6568s/4692h CT) 06/17/05

########  ######################   ##################################################
#  Useless tags (tag structures that do nothing) 
#  Largely submitted by Matt Yackley, with contributions by 
#  Carl Friend, Jennifer Wheeler, Scott Sprunger, Larry Gilson
########  ######################   ##################################################

rawbody   SARE_HTML_USL_B7         /(<b><\/b>.{1,5}){7,8}/i
describe  SARE_HTML_USL_B7         Multiple <b></b> (7-8)
score     SARE_HTML_USL_B7         0.100
#counts   SARE_HTML_USL_B7         0s/0h of 333405 corpus (262498s/70907h RM) 05/12/06
#max      SARE_HTML_USL_B7         105s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_HTML_USL_B7         0s/0h of 29365 corpus (5882s/23483h JH) 08/14/04 TM2 SA3.0-pre2
#counts   SARE_HTML_USL_B7         0s/0h of 57287 corpus (52272s/5015h MY) 09/22/05

rawbody   SARE_HTML_USL_B9         /(<b><\/b>.{1,5}){9,10}/i
describe  SARE_HTML_USL_B9         Multiple <b></b> (9-10)
score     SARE_HTML_USL_B9         0.100
#counts   SARE_HTML_USL_B9         0s/0h of 333405 corpus (262498s/70907h RM) 05/12/06
#max      SARE_HTML_USL_B9         99s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_HTML_USL_B9         0s/0h of 29365 corpus (5882s/23483h JH) 08/14/04 TM2 SA3.0-pre2
#counts   SARE_HTML_USL_B9         0s/0h of 57287 corpus (52272s/5015h MY) 09/22/05

########  ######################   ##################################################
#  <tag ... ALT= ...> tag tests
########  ######################   ##################################################

########  ######################   ##################################################
#  <!-- Comment tag tests
########  ######################   ##################################################

rawbody   SARE_HTML_CMT_MONEY      /<\!--\${1,10}-->/i
describe  SARE_HTML_CMT_MONEY      HTML Comment seems to mention money
score     SARE_HTML_CMT_MONEY      0.100
#counts   SARE_HTML_CMT_MONEY      0s/0h of 98542 corpus (76935s/21607h RM) 05/12/04
#counts   SARE_HTML_CMT_MONEY      0s/0h of 29365 corpus (5882s/23483h JH) 08/14/04 TM2 SA3.0-pre2

########  ######################   ##################################################
#   Image tag tests
########  ######################   ##################################################

rawbody   SARE_HTML_GIF_NUM        /\.gif\d{2,}/i
describe  SARE_HTML_GIF_NUM        HTML contains tracking numbers after .gif
score     SARE_HTML_GIF_NUM        0.100
#counts   SARE_HTML_GIF_NUM        0s/0h of 98542 corpus (76935s/21607h RM) 05/12/04
#counts   SARE_HTML_GIF_NUM        0s/0h of 29365 corpus (5882s/23483h JH) 08/14/04 TM2 SA3.0-pre2

########  ######################   ##################################################
#   Paragraphs, breaks, and spacings
########  ######################   ##################################################

rawbody   SARE_HTML_BR_MANY        /<br>{5}/i
describe  SARE_HTML_BR_MANY        Too many sequential identical HTML tags
score     SARE_HTML_BR_MANY        0.555
#stype    SARE_HTML_BR_MANY        spamp
#counts   SARE_HTML_BR_MANY        0s/0h of 689155 corpus (348140s/341015h RM) 09/18/05
#max      SARE_HTML_BR_MANY        2s/0h of 258858 corpus (114246s/144612h RM) 05/27/05
#counts   SARE_HTML_BR_MANY        0s/0h of 29365 corpus (5882s/23483h JH) 08/14/04 TM2 SA3.0-pre2
#counts   SARE_HTML_BR_MANY        0s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
#counts   SARE_HTML_BR_MANY        0s/0h of 47221 corpus (42968s/4253h MY) 06/18/05

rawbody   __SARE_HTML_MANY_BR05    /<br>\s*<br>\s*<br>\s*<br>\s*<br>\s*<br>/i
meta      SARE_HTML_MANY_BR05      __SARE_HTML_MANY_BR05 && HTML_MESSAGE
describe  SARE_HTML_MANY_BR05      Tooo many <br>'s!
score     SARE_HTML_MANY_BR05      0.500
#hist     SARE_HTML_MANY_BR05      Contrib by Matt Keller June 7 2004
#note     SARE_HTML_MANY_BR05      Remove HTML_MESSAGE test increases spam 4% but doubles ham
#hist     SARE_HTML_MANY_BR05      this and SARE_HTML_MANY_BR10 obsolete SARE_HTML_TD_BR4 = FR_WICKED_SPAM_??
#counts   SARE_HTML_MANY_BR05      0s/0h of 114422 corpus (81069s/33353h RM) 01/16/05
#alone    SARE_HTML_MANY_BR05      2051s/43h of 66351 corpus (40971s/25380h RM) 08/21/04
#counts   SARE_HTML_MANY_BR05      0s/0h of 54283 corpus (17106s/37177h JH-3.01) 02/13/05
#max      SARE_HTML_MANY_BR05      755s/2h of 38858 corpus (15368s/23490h JH-SA3.0rc1) 08/22/04
#counts   SARE_HTML_MANY_BR05      0s/0h of 26326 corpus (22886s/3440h MY) 02/15/05

########  ######################   ##################################################
#   Javascript and object tests     
########  ######################   ##################################################

rawbody   SARE_HTML_JVS_POPUP      /<body onload \= \"window\.open/i
describe  SARE_HTML_JVS_POPUP      Bad HTML form.  Tries to load a javascript pop up.
score     SARE_HTML_JVS_POPUP      0.100
#counts   SARE_HTML_JVS_POPUP      0s/0h of 98542 corpus (76935s/21607h RM) 05/12/04
#counts   SARE_HTML_JVS_POPUP      0s/0h of 29365 corpus (5882s/23483h JH) 08/14/04 TM2 SA3.0-pre2

########  ######################   ##################################################
#   Tests destined for other rule sets
########  ######################   ##################################################

full      __SARE_PHISH_HTML_01a    m*<a[^<]{0,60} onMouseMove=(?:3D)?"window.status=(?:3D)?'https?://*
rawbody   __SARE_PHISH_HTML_01b    m*<a[^<]{0,60} onMouseMove=(?:3D)?"window.status=(?:3D)?'https?://*
meta      SARE_PHISH_HTML_01       __SARE_PHISH_HTML_01a || __SARE_PHISH_HTML_01b
describe  SARE_PHISH_HTML_01       Hiding actual site with fake secure site!
score     SARE_PHISH_HTML_01       2.500
#stype    SARE_PHISH_HTML_01       spamgg # phish 
#hist     SARE_PHISH_HTML_01       Loren Wilton: LW_MOUSEMOVE
#counts   SARE_PHISH_HTML_01       1s/0h of 619677 corpus (318875s/300802h RM) 09/11/05
#max      SARE_PHISH_HTML_01       17s/0h of 70245 corpus (42816s/27429h RM) 10/02/04
#counts   SARE_PHISH_HTML_01       2s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
#max      SARE_PHISH_HTML_01       5s/0h of 54969 corpus (17793s/37176h JH-3.01) 03/13/05
#counts   SARE_PHISH_HTML_01       0s/0h of 47221 corpus (42968s/4253h MY) 06/18/05
#max      SARE_PHISH_HTML_01       6s/0h of 19447 corpus (16862s/2585h MY) 10/06/04
#counts   SARE_PHISH_HTML_01       0s/0h of 11260 corpus (6568s/4692h CT) 06/17/05

# EOF

# SARE HTML Ruleset for SpamAssassin - ruleset 3
# Version: 01.03.10
# Created: 2004-03-31 
# Modified: 2006-06-03
# Usage instructions, documentation, and change history in 70_sare_html0.cf 

#@@# Revision History:  Full Revision History stored in 70_sare_html.log
#@@# 01.03.10: June 3 2006
#@@#           Minor score tweaks based on recent mass-checks
#@@#           Modified "rule has been moved" meta flags 
#@@#           Archive:             SARE_HTML_URI_OPTPHP
#@@#           Moved file 1 to 3:   SARE_HTML_URI_DEFASP

# License: Artistic - see http://www.rulesemporium.com/license.txt 
# Current Maintainer: Bob Menschel - RMSA@Menschel.net
# Current Home: http://www.rulesemporium.com/rules/70_sare_html3.cf 
#
########  ######################   ##################################################
########  ######################   ##################################################
#         Rules renamed or moved
########  ######################   ##################################################

meta      __SARE_HEAD_FALSE        __FROM_AOL_COM && !__FROM_AOL_COM
meta      SARE_HTML_URI_OPTPHP     __SARE_HEAD_FALSE

########  ######################   ##################################################

body      __NONEMPTY_BODY          /\S/
header    __TOCC_EXISTS            exists:ToCc

rawbody   __SARE_HTML_HAS_A        eval:html_tag_exists('a')
rawbody   __SARE_HTML_HAS_BR       eval:html_tag_exists('br')
rawbody   __SARE_HTML_HAS_DIV      eval:html_tag_exists('div')
rawbody   __SARE_HTML_HAS_FONT     eval:html_tag_exists('font')
rawbody   __SARE_HTML_HAS_IMG      eval:html_tag_exists('img')
rawbody   __SARE_HTML_HAS_P        eval:html_tag_exists('p')
rawbody   __SARE_HTML_HAS_PRE      eval:html_tag_exists('pre')
rawbody   __SARE_HTML_HAS_TITLE    eval:html_tag_exists('title')

rawbody   __SARE_HTML_HBODY        m'<html><body>'i
rawbody   __SARE_HTML_BEHTML       m'<body></html>'i
rawbody   __SARE_HTML_BEHTML2      m'^</?body></html>'i
rawbody   __SARE_HTML_EFONT        m'^</font>'i
rawbody   __SARE_HTML_EHEB         m'^</html></body>'i
rawbody   __SARE_HTML_CMT_CNTR     /<center><!--/

########  ######################   ##################################################
#   Is there a message? 
########  ######################   ##################################################

meta      SARE_HTML_EMPTY          __CTYPE_HTML && !( __SARE_HTML_HAS_TITLE ||  __TAG_EXISTS_HTML || __SARE_HTML_HAS_FONT || __TAG_EXISTS_BODY || __SARE_HTML_HAS_PRE || __SARE_HTML_HAS_DIV || __SARE_HTML_HAS_P || __SARE_HTML_HAS_A || __SARE_HTML_HAS_BR )
describe  SARE_HTML_EMPTY          Email is HTML format, but common tags not found
score     SARE_HTML_EMPTY          0.681
#ham      SARE_HTML_EMPTY          An "html" format email, 30 Oct 2002, Microsoft Outlook Express 6.00.2600.0000, that used no tags, just one long textual paragraph
#counts   SARE_HTML_EMPTY          226s/7h of 333405 corpus (262498s/70907h RM) 05/12/06
#max      SARE_HTML_EMPTY          506s/33h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_HTML_EMPTY          28s/1h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
#max      SARE_HTML_EMPTY          32s/2h of 54283 corpus (17106s/37177h JH-3.01) 02/13/05
#counts   SARE_HTML_EMPTY          0s/0h of 57287 corpus (52272s/5015h MY) 09/22/05
#max      SARE_HTML_EMPTY          132s/2h of 26326 corpus (22886s/3440h MY) 02/15/05
#counts   SARE_HTML_EMPTY          0s/0h of 13284 corpus (7412s/5872h CT) 05/14/06
#max      SARE_HTML_EMPTY          12s/0h of 10826 corpus (6364s/4462h CT) 05/28/05
#counts   SARE_HTML_EMPTY          1s/173h of 7500 corpus (1767s/5733h ft) 09/18/05

########  ######################   ##################################################
#   <HTML> and <BODY> tag spamsign
########  ######################   ##################################################

rawbody   __SARE_HTML_BODY_END2    m'</body[^>]*>.*</body[^>]*>'i
meta      SARE_HTML_BODY_END2      __SARE_HTML_BODY_END2 
describe  SARE_HTML_BODY_END2      Double </body>
score     SARE_HTML_BODY_END2      0.444
#hist     SARE_HTML_BODY_END2      Contrib by Matt Keller June 7 2004
#note     SARE_HTML_BODY_END2      Add/remove HTML_MESSAGE test has no effect
#counts   SARE_HTML_BODY_END2      15s/1h of 333405 corpus (262498s/70907h RM) 05/12/06
#max      SARE_HTML_BODY_END2      163s/13h of 281655 corpus (110173s/171482h RM) 05/05/05
#counts   SARE_HTML_BODY_END2      2s/1h of 9988 corpus (5657s/4331h AxB) 05/14/06
#counts   SARE_HTML_BODY_END2      1s/1h of 13284 corpus (7412s/5872h CT) 05/14/06
#max      SARE_HTML_BODY_END2      6s/0h of 10826 corpus (6364s/4462h CT) 05/28/05
#counts   SARE_HTML_BODY_END2      6s/0h of 155408 corpus (103805s/51603h DOC) 05/15/06
#counts   SARE_HTML_BODY_END2      0s/7h of 42328 corpus (34212s/8116h FVGT) 05/15/06
#counts   SARE_HTML_BODY_END2      15s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
#max      SARE_HTML_BODY_END2      63s/0h of 38858 corpus (15368s/23490h JH-SA3.0rc1) 08/22/04
#counts   SARE_HTML_BODY_END2      13s/0h of 106399 corpus (73151s/33248h ML) 05/14/06
#counts   SARE_HTML_BODY_END2      52s/2h of 23053 corpus (17334s/5719h MY) 05/14/06
#max      SARE_HTML_BODY_END2      69s/2h of 57287 corpus (52272s/5015h MY) 09/22/05

rawbody   SARE_HTML_HTML_DBL       /<html[^>]*><html[^>]*>/i
describe  SARE_HTML_HTML_DBL       Message body has very strange HTML sequence
score     SARE_HTML_HTML_DBL       0.639
#ham      SARE_HTML_HTML_DBL       Verified (several), common to various opt-in lists.
#hist     SARE_HTML_HTML_DBL       Fred T: FR_HTML_HTML
#hist     SARE_HTML_HTML_DBL       2004-06-11: [^>]* added by Bob Menschel
#counts   SARE_HTML_HTML_DBL       7s/1h of 333405 corpus (262498s/70907h RM) 05/12/06
#max      SARE_HTML_HTML_DBL       168s/0h of 65984 corpus (40739s/25245h RM) 08/21/04
#counts   SARE_HTML_HTML_DBL       1s/0h of 9988 corpus (5657s/4331h AxB) 05/14/06
#counts   SARE_HTML_HTML_DBL       0s/0h of 13284 corpus (7412s/5872h CT) 05/14/06
#max      SARE_HTML_HTML_DBL       9s/0h of 6944 corpus (3188s/3756h CT) 05/19/04
#counts   SARE_HTML_HTML_DBL       3s/0h of 155408 corpus (103805s/51603h DOC) 05/15/06
#counts   SARE_HTML_HTML_DBL       25s/0h of 54283 corpus (17106s/37177h JH-3.01) 02/13/05
#max      SARE_HTML_HTML_DBL       75s/0h of 32906 corpus (9660s/23246h JH) 05/24/04
#counts   SARE_HTML_HTML_DBL       1s/0h of 106399 corpus (73151s/33248h ML) 05/14/06
#counts   SARE_HTML_HTML_DBL       8s/1h of 23053 corpus (17334s/5719h MY) 05/14/06
#max      SARE_HTML_HTML_DBL       10s/0h of 57287 corpus (52272s/5015h MY) 09/22/05

########  ######################   ##################################################
#   <TITLE> Tag Tests
########  ######################   ##################################################

#              Moved file 1 to 3:   SARE_HTML_TITLE_MNY
rawbody   SARE_HTML_TITLE_MNY      /<title>.{0,25}Money.{0,25}<\/title>/i
describe  SARE_HTML_TITLE_MNY      HTML Title implies this may be spam
score     SARE_HTML_TITLE_MNY      0.458
#ham      SARE_HTML_TITLE_MNY      confirmed
#hist     SARE_HTML_TITLE_MNY      Fred T: FR_TITLE_MONEY
#counts   SARE_HTML_TITLE_MNY      16s/2h of 333405 corpus (262498s/70907h RM) 05/12/06
#max      SARE_HTML_TITLE_MNY      260s/11h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_HTML_TITLE_MNY      0s/0h of 13287 corpus (7414s/5873h CT) 05/14/06
#max      SARE_HTML_TITLE_MNY      0s/1h of 6944 corpus (3188s/3756h CT) 05/19/04
#counts   SARE_HTML_TITLE_MNY      0s/0h of 54283 corpus (17106s/37177h JH-3.01) 02/13/05
#max      SARE_HTML_TITLE_MNY      7s/0h of 38858 corpus (15368s/23490h JH-SA3.0rc1) 08/22/04
#counts   SARE_HTML_TITLE_MNY      2s/0h of 105856 corpus (72598s/33258h ML) 05/14/06
#counts   SARE_HTML_TITLE_MNY      15s/0h of 23074 corpus (17350s/5724h MY) 05/14/06
#max      SARE_HTML_TITLE_MNY      120s/0h of 57287 corpus (52272s/5015h MY) 09/22/05

########  ######################   ##################################################
#   <A> and HREF rules          
########  ######################   ##################################################

########  ######################   ##################################################
#   Spamsign character sets and fonts 
########  ######################   ##################################################

rawbody   SARE_HTML_COLOR_B        /(?:style="?|<style[^>]*>)[^>"]*[^-]color\s*:\s*rgb\(\s*2[2-5][0-9]\s*,\s*2[2-5][0-9]\s*,\s*2[2-5][0-9]\s*\)[^>]*>/i
describe  SARE_HTML_COLOR_B        BAD STYLE: color: too light (rgb(n))
score     SARE_HTML_COLOR_B        0.621
#ham      SARE_HTML_COLOR_B        Tickemaster ticket confirmation emails
#hist     SARE_HTML_COLOR_B        From Jesse Houwing May 14 2004
#counts   SARE_HTML_COLOR_B        20s/4h of 333405 corpus (262498s/70907h RM) 05/12/06
#counts   SARE_HTML_COLOR_B        2s/8h of 9988 corpus (5657s/4331h AxB) 05/14/06
#counts   SARE_HTML_COLOR_B        1s/1h of 13284 corpus (7412s/5872h CT) 05/14/06
#counts   SARE_HTML_COLOR_B        47s/0h of 155408 corpus (103805s/51603h DOC) 05/15/06
#counts   SARE_HTML_COLOR_B        0s/1h of 42328 corpus (34212s/8116h FVGT) 05/15/06
#counts   SARE_HTML_COLOR_B        3s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
#max      SARE_HTML_COLOR_B        5s/0h of 54283 corpus (17106s/37177h JH-3.01) 02/13/05
#counts   SARE_HTML_COLOR_B        12s/0h of 106399 corpus (73151s/33248h ML) 05/14/06
#counts   SARE_HTML_COLOR_B        8s/0h of 23053 corpus (17334s/5719h MY) 05/14/06

rawbody   SARE_HTML_LANG_PTBR      /lang=(?:3D)?PT-BR/
describe  SARE_HTML_LANG_PTBR      Odd language
score     SARE_HTML_LANG_PTBR      0.189
#hist     SARE_HTML_LANG_PTBR      LW_PT_BR, Loren Wilton
#counts   SARE_HTML_LANG_PTBR      11s/0h of 333405 corpus (262498s/70907h RM) 05/12/06
#max      SARE_HTML_LANG_PTBR      213s/0h of 70693 corpus (43127s/27566h RM) 10/02/04
#counts   SARE_HTML_LANG_PTBR      0s/1h of 56020 corpus (51687s/4333h AxB2) 05/15/06
#counts   SARE_HTML_LANG_PTBR      9s/25h of 13284 corpus (7412s/5872h CT) 05/14/06
#counts   SARE_HTML_LANG_PTBR      1s/0h of 155408 corpus (103805s/51603h DOC) 05/15/06
#counts   SARE_HTML_LANG_PTBR      69s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
#counts   SARE_HTML_LANG_PTBR      2s/0h of 106399 corpus (73151s/33248h ML) 05/14/06
#counts   SARE_HTML_LANG_PTBR      0s/0h of 47221 corpus (42968s/4253h MY) 06/18/05
#max      SARE_HTML_LANG_PTBR      10s/0h of 19448 corpus (16863s/2585h MY) 10/05/04

########  ######################   ##################################################
#   Invalid or Suspicious URI Tests
########  ######################   ##################################################

uri       SARE_HTML_URI_DEFASP     m'/default.asp\?id='i
describe  SARE_HTML_URI_DEFASP     URI to page name which suggests spammer's page
score     SARE_HTML_URI_DEFASP     0.093
#hist     SARE_HTML_URI_DEFASP     Deleted SARE_HTML_URI_X1 = LW_URI_ID due to complete overlap: /\?id\x10\x30\x34\x35/i
#counts   SARE_HTML_URI_DEFASP     0s/8h of 333405 corpus (262498s/70907h RM) 05/12/06
#max      SARE_HTML_URI_DEFASP     130s/27h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_HTML_URI_DEFASP     0s/5h of 13287 corpus (7414s/5873h CT) 05/14/06
#max      SARE_HTML_URI_DEFASP     44s/0h of 6944 corpus (3188s/3756h CT) 05/19/04
#counts   SARE_HTML_URI_DEFASP     1s/1h of 42454 corpus (34336s/8118h FVGT) 05/15/06
#counts   SARE_HTML_URI_DEFASP     0s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
#max      SARE_HTML_URI_DEFASP     361s/0h of 38858 corpus (15368s/23490h JH-SA3.0rc1) 08/22/04
#counts   SARE_HTML_URI_DEFASP     24s/0h of 23074 corpus (17350s/5724h MY) 05/14/06
#max      SARE_HTML_URI_DEFASP     24s/0h of 57287 corpus (52272s/5015h MY) 09/22/05

########  ######################   ##################################################
#   Image tag tests
########  ######################   ##################################################

########  ######################   ##################################################
#   Paragraphs, breaks, and spacings
########  ######################   ##################################################

rawbody   SARE_HTML_P_MANY3        /<P><P><P>/i
describe  SARE_HTML_P_MANY3        Too many empty paragraph tags in a row
score     SARE_HTML_P_MANY3        1.108
#hist     SARE_HTML_P_MANY3        04/02/2004 http://www.rulesemporium.com/rules/99_FVGT_rawbody.cf
#overlap  SARE_HTML_P_MANY3        Total overlap within SARE_HTML_URI_MANYP2, but no ham hits here (until Feb 2005)
#ham      SARE_HTML_P_MANY3        From: Ticketmaster <support@reply.ticketmaster.com>, Tuesday, January 25, 2005, 4:00:27 PM
#counts   SARE_HTML_P_MANY3        78s/6h of 333405 corpus (262498s/70907h RM) 05/12/06
#max      SARE_HTML_P_MANY3        458s/28h of 689155 corpus (348140s/341015h RM) 09/18/05
#counts   SARE_HTML_P_MANY3        143s/0h of 56020 corpus (51687s/4333h AxB2) 05/15/06
#counts   SARE_HTML_P_MANY3        0s/0h of 11260 corpus (6568s/4692h CT) 06/17/05
#max      SARE_HTML_P_MANY3        9s/0h of 6944 corpus (3188s/3756h CT) 05/19/04
#counts   SARE_HTML_P_MANY3        412s/0h of 155408 corpus (103805s/51603h DOC) 05/15/06
#counts   SARE_HTML_P_MANY3        50s/0h of 42328 corpus (34212s/8116h FVGT) 05/15/06
#counts   SARE_HTML_P_MANY3        4s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
#max      SARE_HTML_P_MANY3        15s/0h of 32260 corpus (8983s/23277h JH) 05/14/04
#counts   SARE_HTML_P_MANY3        9s/0h of 23053 corpus (17334s/5719h MY) 05/14/06
#max      SARE_HTML_P_MANY3        41s/0h of 57287 corpus (52272s/5015h MY) 09/22/05

########  ######################   ##################################################
#   Javascript and object tests     
########  ######################   ##################################################

########  ######################   ##################################################
#  Useless tags (tag structures that do nothing) 
#  Largely submitted by Matt Yackley, with contributions by 
#  Carl Friend, Jennifer Wheeler, Scott Sprunger, Larry Gilson
########  ######################   ##################################################

rawbody   SARE_HTML_USL_1CHAR      m'(?!<[biopu]></[biopu]>)<([a-z])></\1>'i 
describe  SARE_HTML_USL_1CHAR      Invalid and empty 1-char tag - /tag combination
score     SARE_HTML_USL_1CHAR      0.029
#counts   SARE_HTML_USL_1CHAR      6s/14h of 333405 corpus (262498s/70907h RM) 05/12/06
#max      SARE_HTML_USL_1CHAR      46s/6h of 196718 corpus (96193s/100525h RM) 02/22/05
#counts   SARE_HTML_USL_1CHAR      3s/0h of 56020 corpus (51687s/4333h AxB2) 05/15/06
#counts   SARE_HTML_USL_1CHAR      0s/0h of 10826 corpus (6364s/4462h CT) 05/28/05
#max      SARE_HTML_USL_1CHAR      3s/0h of 6944 corpus (3188s/3756h CT) 05/19/04
#counts   SARE_HTML_USL_1CHAR      8s/30h of 155408 corpus (103805s/51603h DOC) 05/15/06
#counts   SARE_HTML_USL_1CHAR      2s/1h of 42328 corpus (34212s/8116h FVGT) 05/15/06
#counts   SARE_HTML_USL_1CHAR      3s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
#max      SARE_HTML_USL_1CHAR      6s/0h of 54283 corpus (17106s/37177h JH-3.01) 02/13/05
#counts   SARE_HTML_USL_1CHAR      2s/0h of 23053 corpus (17334s/5719h MY) 05/14/06

########  ######################   ##################################################
#   Miscellaneous tag tests
########  ######################   ##################################################

rawbody   SARE_HTML_BODY_2SP       /<body  /i
describe  SARE_HTML_BODY_2SP       HTML tag is strangely formed
score     SARE_HTML_BODY_2SP       0.665
#hist     SARE_HTML_BODY_2SP       FR_BODY_2SPACES
#counts   SARE_HTML_BODY_2SP       682s/152h of 333405 corpus (262498s/70907h RM) 05/12/06
#counts   SARE_HTML_BODY_2SP       678s/2h of 9988 corpus (5657s/4331h AxB) 05/14/06
#counts   SARE_HTML_BODY_2SP       48s/0h of 13284 corpus (7412s/5872h CT) 05/14/06
#counts   SARE_HTML_BODY_2SP       215s/0h of 155408 corpus (103805s/51603h DOC) 05/15/06
#counts   SARE_HTML_BODY_2SP       1455s/8h of 42328 corpus (34212s/8116h FVGT) 05/15/06
#counts   SARE_HTML_BODY_2SP       62s/5h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
#max      SARE_HTML_BODY_2SP       94s/0h of 38858 corpus (15368s/23490h JH-SA3.0rc1) 08/22/04
#counts   SARE_HTML_BODY_2SP       361s/2h of 106399 corpus (73151s/33248h ML) 05/14/06
#counts   SARE_HTML_BODY_2SP       21s/2h of 23053 corpus (17334s/5719h MY) 05/14/06
#max      SARE_HTML_BODY_2SP       66s/2h of 47221 corpus (42968s/4253h MY) 06/18/05

full      SARE_HTML_TD_BR          m'<td.{10,400}<br>.{1,7}<br>.{1,7}<br>.{1,7}<br>.{0,400}</td>'is
describe  SARE_HTML_TD_BR          Multiple line breaks in spammer pattern
score     SARE_HTML_TD_BR          0.934
#hist     SARE_HTML_TD_BR          Fred T: FR_WICKED_SPAM_??
#counts   SARE_HTML_TD_BR          2757s/33h of 333405 corpus (262498s/70907h RM) 05/12/06
#counts   SARE_HTML_TD_BR          368s/0h of 56020 corpus (51687s/4333h AxB2) 05/15/06
#counts   SARE_HTML_TD_BR          40s/10h of 13284 corpus (7412s/5872h CT) 05/14/06
#counts   SARE_HTML_TD_BR          471s/0h of 155408 corpus (103805s/51603h DOC) 05/15/06
#counts   SARE_HTML_TD_BR          190s/10h of 42328 corpus (34212s/8116h FVGT) 05/15/06
#counts   SARE_HTML_TD_BR          36s/0h of 54067 corpus (16890s/37177h JH-3.01) 06/18/05
#max      SARE_HTML_TD_BR          182s/0h of 38858 corpus (15368s/23490h JH-SA3.0rc1) 08/22/04
#counts   SARE_HTML_TD_BR          700s/0h of 106399 corpus (73151s/33248h ML) 05/14/06
#counts   SARE_HTML_TD_BR          68s/14h of 23053 corpus (17334s/5719h MY) 05/14/06
#max      SARE_HTML_TD_BR          184s/15h of 47221 corpus (42968s/4253h MY) 06/18/05

# EOF
